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Abstract 

Organizations  such  as  hospitals  and  banks  that  collect  and  use  personal  information  are  required  to 
comply  with  privacy  regulations  like  the  Health  Insurance  Portability  and  Accountability  Act  (HIPAA) 
and  the  Gramm-Leach-Bliley  Act  (GLBA).  With  the  goal  of  specification  and  enforcement  of  such  prac¬ 
tical  policies,  we  develop  the  logic  PrivacyLFP,  whose  syntax  is  an  extension  of  the  fixed  point  logic 
LFP  with  operators  of  linear  temporal  logic.  We  model  organizational  processes  by  assigning  role-based 
responsibilities  to  agents  that  are  also  expressed  in  the  same  logic.  To  aid  in  designing  such  processes, 
we  develop  a  semantic  locality  criterion  to  characterize  responsibilities  that  agents  (or  groups  of  agents) 
have  a  strategy  to  discharge,  and  easily  checkable,  sound  syntactic  characterizations  of  responsibilities 
that  meet  this  criterion.  Policy  enforcement  is  achieved  through  a  combination  of  techniques:  (a)  a 
design-time  analysis  of  the  organizational  process  to  show  that  the  privacy  policy  is  respected  if  all 
agents  act  responsibly,  using  a  sound  proof  system  we  develop  for  PrivacyLFP;  and  (b)  a  posthoc  audit 
of  logs  of  organizational  activity  that  identifies  agents  who  did  not  live  up  to  their  responsibilities,  using 
a  model  checking  procedure  we  develop  for  PrivacyLFP.  We  illustrate  these  enforcement  techniques  using 
a  representative  example  of  an  organizational  process. 


1  Introduction 

Privacy  is  an  important  concern  for  organizations  that  collect  and  use  personal  information,  such  as  hospitals, 
clinics,  banks,  credit  card  clearing  houses,  customer  support  centers,  and  academic  institutions.  These 
organizations  face  the  growing  challenge  of  managing  privacy  risks  and  compliance  requirements.  In  fact, 
designing  organizational  processes  to  manage  personal  data  and  ensure  compliance  with  regulations  such 
as  the  Health  Insurance  Portability  and  Accountability  Act  (HIPAA)  and  the  Gramm-Leach-Bliley  Act 
(GLBA)  [32,  33]  has  become  one  of  the  greatest  challenges  facing  organizations  today  (see,  for  example,  a 
recent  survey  from  Deloitte  and  the  Ponemon  Institute  [19]).  This  paper  develops  theoretically  well-founded 
methods  to  support  the  compliance  process  and  presents  case  studies  that  demonstrate  that  the  methods 
apply  to  real  privacy  regulations. 

Our  first  set  of  contributions  pertain  to  privacy  policy  specification.  We  present  the  logic  PrivacyLFP 
(see  Section  2),  whose  syntax  is  an  extension  of  the  fixed  point  logic  LFP  with  operators  of  linear  temporal 
logic  [26].  The  formulas  of  the  logic  are  interpreted  over  traces  containing  agent  actions,  which  model, 
for  example,  how  agents  transmit  and  use  personal  information.  This  logic  can  express  common  privacy 
policy  idioms,  such  as  conditions  on  retransmission  of  information,  obligations,  notifications,  opt-in/opt-out 
options  and  disclosure  purposes.  The  choice  of  the  logic  was  guided  by  a  comprehensive  study  of  the  privacy¬ 
relevant  sections  of  the  HIPAA  and  GLBA  regulations.  Specifically,  in  examining  GLBA,  we  found  clauses 
that  required  the  use  of  fixed  points  to  specify;  clauses  in  both  regulations  necessitated  the  use  of  temporal 
operators,  real-time,  and  disclosure  purposes.  This  report  focuses  on  the  logic  and  enforcement  of  policies 
represented  in  it;  formalization  of  all  operational  clauses  of  HIPAA  and  GLBA  is  contained  in  a  separate 
report  [20]. 

Our  second  set  of  contributions  pertain  to  modeling  organizational  processes  (see  Section  4).  We  model 
organizational  processes  by  assigning  role-based  responsibilities  to  agents.  These  responsibilities  are  also 
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expressed  in  the  same  logic.  The  goal  in  designing  processes  is  to  ensure  that  if  all  agents  act  responsibly, 
then  the  policy  is  satisfied  in  every  execution.  However,  it  is  important  to  ensure  that  an  agent  can,  in 
fact,  discharge  her  responsibilities.  We  present  examples  of  responsibilities  in  PrivacyLFP  that  can  never  be 
discharged,  and  then  go  on  to  provide  a  semantic  definition  of  locally  feasible  responsibilities,  which  is  in¬ 
tended  to  capture  “reasonable”  responsibilities.  To  aid  in  designing  organizational  processes,  we  also  present 
easily  checkable,  sound  syntactic  characterizations  of  responsibilities  that  meet  this  criterion,  associated 
strategies  for  discharging  such  responsibilities,  and  theorems  about  the  composition  of  such  responsibilities 
(Theorem  4.2). 

Our  final  set  of  contributions  pertain  to  policy  enforcement  (Section  5).  Policy  enforcement  is  achieved 
through  two  logic-based  methods  for  enforcing  privacy  policies.  Our  first  method  answers  the  question: 
Does  a  given  organizational  process  respect  a  given  privacy  policy?  This  method  is  based  on  a  sound  proof 
system  for  PrivacyLFP  and  is  described  in  Section  5.1.  The  proof  system  is  obtained  by  adapting  previous 
proof  systems  for  an  intuitionistic  logic  with  fixed-points,  pL3  [8,  17],  to  our  classical  logic  PrivacyLFP; 
the  soundness  proof  for  the  proof  system  with  respect  to  the  trace  semantics  is  a  new  technical  result. 
Our  second  enforcement  method  audits  logs  of  organizational  activity  for  violations  of  principals’  assigned 
responsibilities.  It  is  based  on  a  novel  tableau-based  model  checking  procedure  for  PrivacyLFP  that  we 
develop  and  prove  sound  in  Section  5.2.  We  illustrate  these  enforcement  techniques  using  a  representative 
example  of  an  organizational  process. 

The  approach  taken  in  this  paper  builds  on  contextual  integrity ,  a  conceptual  framework  for  understand¬ 
ing  privacy  expectations  and  their  implications  developed  in  the  literature  on  law,  public  policy,  and  political 
philosophy  [27].  The  primary  tenet  of  contextual  integrity  is  that  people  interact  in  society  not  simply  as 
individuals  in  an  undifferentiated  social  world,  but  as  individuals  in  certain  capacities  or  roles,  in  distinctive 
social  contexts  (e.g.,  health  care  or  banking).  The  semantic  model  over  which  the  formulas  of  PrivacyLFP 
are  interpreted  formalizes  this  intuition,  in  a  manner  that  is  similar  to  prior  work  by  Barth  et  al.  [10,  11]. 
The  conceptual  factoring  of  policy  enforcement  into  design-time  analysis  assuming  agents  are  responsible  and 
posthoc  auditing  for  responsibility  violations  also  originated  in  those  papers.  The  results  of  this  paper  push 
forward  the  program  of  practical  privacy  policy  specification  and  enforcement  significantly  by  developing  a 
first-order  logic  with  fixed-points  that  has  the  additional  expressiveness  needed  to  specify  real  privacy  regu¬ 
lations  in  their  entirety  (all  privacy- relevant  clauses  of  HIPAA  and  GLBA),  and  new  enforcement  techniques 
based  on  proof-theory  and  auditing  that  work  for  the  entire  logic.  In  contrast,  the  auditing  procedure  in 
Barth  et  al.  [11]  only  works  for  a  very  restricted  class  of  “graph-based  workflows”  and  design-time  analysis  is 
achieved  for  a  less  expressive  propositional  fragment  of  a  temporal  logic.  A  more  detailed  comparison  with 
prior  work  appears  in  Section  6.  Concluding  remarks  and  directions  for  future  work  appear  in  Section  7. 


2  Policy  Specification 

We  formally  represent  privacy  laws  and  responsibilities  as  formulas  of  a  new  logic  PrivacyLFP.  PrivacyLFP 
is  an  extension  of  the  logic  LFP  [13,  28]  with  temporal  operators,  and  is  interpreted  against  traces.  LFP 
contains  first-order  quantifiers  and  allows  definitions  of  predicates  as  greatest  and  least  fixed-points.  After 
motivating  the  need  for  fixed-points  in  formalizing  privacy  regulation,  we  briefly  review  LFP  and  its  semantics 
(Section  2.1).  Then  we  introduce  PrivacyLFP’s  trace-based  model  (Section  2.2)  and  its  syntax  (Section  2.3). 
Prior  work  on  which  this  paper  builds  [9-11]  uses  a  different  logic  LPU  (Logic  of  Privacy  and  Utility),  which 
is  based  on  alternating-time  temporal  logic  or  ATL  [3].  Although  LPU  suffices  to  express  representative 
examples  of  privacy  regulations  considered  in  prior  work,  it  does  not  suffice  to  represent  entire  privacy  laws 
like  HIPAA  and  GLBA  [32,  33], 

Specifically,  LFP  and  PrivacyLFP  can,  but  LPU  cannot,  express  predicates  defined  as  fixed-points  of 
equations,  which  are  needed  to  formalize  GLBA.  To  understand  the  need  for  fixed-points  consider  §6802(c) 
of  GLBA: 

Except  as  otherwise  provided  in  this  subchapter,  a  nonaffiliated  third  party  that  receives 
from  a  financial  institution  nonpublic  personal  information  under  this  section  shall  not,  directly 
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or  through  an  affiliate  of  such  receiving  third  party,  disclose  such  information  to  any  other  person 
that  is  a  nonaffiliated  third  party  of  both  the  financial  institution  and  such  receiving  third  party, 
unless  such  disclosure  would  be  lawful  if  made  directly  to  such  other  person  by  the  financial 
institution. 

Suppose  that  in  an  attempt  to  formalize  this  clause  in  logic,  we  define  the  predicate  maysend(pi,p2, m) 
to  mean  that  entity  p i  may  send  information  m  to  entity  p2-  Then,  roughly,  the  above  clause  would  be 
formalized  by  the  definition  below.  (=  denotes  a  definition,  D  denotes  implication,  activerole(p,  r)  means 
that  principal  p  is  active  in  role  r,  and  <3></>  means  that  <j>  holds  in  the  past.) 

maysend(pi,p2>  m)  —  Vp'.  -iactiverole(pi,  affiliate (p'))  A  ^activerole(p2,  affiliate (p'))  A 

-iactiverole(p2,  affiliate  (pi))  A 

(<0>(send(p',pi,  to)  A  activerole(p',  institution))  D  <0>maysend(j/,p2>  m)) 

This  definition  is  recursive  because  the  predicate  maysend  reappears  in  the  last  line  on  the  right  side  of  the 
definition.  Such  recursive  definitions  cannot  be  expressed  easily  in  first-order  logic  or  LPU.  However,  in  LFP 
such  definitions  can  be  represented  either  using  the  least-fixed  point  operator,  p,  or  using  the  greatest-fixed 
point  operator,  u,  as  is  known  from  prior  work  [24].  In  this  case,  the  definition  should  correspond  to  the 
greatest  fixed  point  since  we  do  not  want  to  impose  any  constraints  on  transmission  beyond  those  stated  in 
the  body  of  the  law.  (A  further  explanation  of  this  point  appears  with  a  precise  formalization  of  this  clause 
in  Section  3.) 

2.1  The  Logic  LFP 

We  review  the  syntax  and  semantics  of  the  logic  LFP  (Least  Fixed-Point  Logic)  limiting  our  discussion  to 
the  minimum  necessary  to  explain  our  technical  ideas;  theory  of  the  logic  may  be  found  in  prior  work  [13,  28]. 
LFP  is  an  extension  of  first-order  logic  with  the  least  fixed-point  operator  (pX(x).ip)(t)  and  the  greatest 
fixed-point  operator  (vX(x).ip)(i).  The  former  defines  an  implicit  predicate  X  as  the  least  solution  of  the 
equation  X[x)  =  <p  and  checks  that  the  tuple  of  terms  t  satisfies  the  predicate  (i.e,  it  lies  in  the  least 
solution).  Both  X  and  x  are  in  scope  in  tp  and  can  be  tacitly  renamed.  (iyX(x).ip)(t)  is  similar,  except  that 
it  defines  the  predicate  as  the  greatest  solution  of  the  same  equation.  The  syntax  of  LFP  formulas  ip,  ip  is 
shown  below,  t  denotes  a  first-order  term  structure,  cc,  y  are  first-order  variables  that  range  over  terms,  P 
denotes  a  predicate  with  a  fixed  interpretation,  and  variables  X ,  Y  denote  predicates  defined  implicitly  as 
fixed-points. 


<p,  ip  ::=  P{t)  \  X(i)  \  T  \  X  \  ip  A  ip  \  ip  V  ip  \  ~iip  \  \/x.ip  |  3  x.tp  \  (pX(x).ip)(t)  \  (i/X(x).ip)(t?) 

We  define  implication  p  D  ip  &s  (~<(p)  V  ip.  The  logic  is  multi-sorted,  although  we  elide  the  details  of  sorts 
here.  (Details  of  sorts  relevant  to  formalization  of  HIPAA  and  GLBA  may  be  found  in  the  companion 
report  [20].)  In  order  to  ensure  that  the  least  and  greatest  fixed-points  always  exist,  any  occurrences  of  X  in 
tp  in  (pX(x).p)(t)  and  (vX,x.ip)(t)  must  be  under  an  even  number  of  negations.  The  existence  of  the  least 
and  greatest  solutions  is  then  a  straightforward  consequence  of  the  Knaster- Tarski  theorem  [31]. 

The  semantics  of  LFP  are  based  on  those  of  first-order  logic,  with  added  provision  for  the  fixed-point 
operators.  Let  D  be  an  algebra  matching  the  signature  of  terms  and  predicates  of  the  logic,  let  [i|°  denote 
the  interpretation  of  the  term  t  with  evaluation  (partial  map  from  first-order  variables  to  D)  0  for  its  free 
first-order  variables  and  some  implicit  interpretation  of  function  symbols,  and  let  [f  ]e  be  its  component-wise 
lifting  to  tuples.  Let  X  denote  a  map  from  predicates  symbols  and  predicate  variables  free  in  ip  to  relations 
of  respective  arities  over  the  domain  D.  The  semantics  of  a  formula  ip  are  captured  by  the  relation  |=  ip, 
defined  by  induction  on  ip: 

0;Z\=  P(i)  iff  [t\B  el(P) 

0\T  (=  Xffi)  iff  [ff  £  T(X) 
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9\X  \=  ip  A  ip  iff  9\X  |=  p  and  9;X  \=  ip 
9\X  |=  ip  V  ip  iff  9;X  |=  p  or  9;X  |=  ip 

e-,x\=-,ip  ise-x^^p. 

9\X  |=  \/x.p  iff  for  all  da  D,  ( 9[x  d];X  \=  tp) 

9\X  \=  3xa p  iff  for  some  da  D,  ( 9[x  H >  d]]X  \=  tp) 

9-,x\=  (pX(S).tp)(t)  iff  Itf  a 

9-X  (=  (vX(2).<p)$)  iff  itf  a  uF*f(tp) 

In  the  last  two  clauses,  F^’g(tp)  :  2dN  — »  2°|x  is  the  function  that  maps  a  set  S  of  tuples,  each  with  |a?| 
components,  to  {d  |  6[x  i-A  d\,I[X  i — >■  S']  |=  tp}.  This  is  a  monotone  map  because  of  the  constraint  that  every 
occurrence  of  X  in  tp  be  under  an  even  number  of  negations.  So  its  greatest  and  least  fixed  points,  vF \  'q  (<p) 
and  pF^g(tp),  exist  by  the  Knaster-Tarski  theorem  [31]. 

Negation  normal  form  (NNF)  For  every  LFP  formula  tp,  there  is  a  semantically  equivalent  formula 
in  which  negation  is  restricted  to  predicates  (i.e,  the  form  —*(P  t)).  Formulas  of  the  latter  form  are  said 
to  be  in  negation  normal  form  or  NNF.  The  NNF  of  a  LFP  formula  tp  can  be  obtained  by  commuting 
negations  inwards  with  other  connectives  through  the  DeMorgan’s  laws,  e.g,  ->( ipi  A  ip 2)  is  equivalent  to 
(~<ipi)  V  (-tip 2).  Importantly,  fixed-points  p  and  v  are  duals  of  each  other:  -1  ((pX(x).ip)(t))  is  equivalent  to 
(vX (x) .-up{-iX / X})(t) .  The  existence  of  equivalent  NNF  formulas  for  all  of  LFP  is  important  because  one 
of  our  enforcement  techniques  (model-checking;  Section  5.2)  works  only  with  NNF  formulas.  Note  that  the 
NNF  formula  obtained  by  applying  DeMorgan’s  laws  in  this  manner  cannot  have  a  subformula  of  the  form 
-i(X  t)  because  of  the  nronotonicity  requirement  for  predicate  variables  X  bound  by  p  and  v  operators. 

2.2  Traces,  First-Order  Structure,  and  Time 

Next,  we  introduce  a  trace-based  model  for  interpreting  formulas  of  LFP.  A  salient  feature  of  the  model  is 
the  association  of  real  time  with  states,  which  is  necessary  to  express  several  clauses  from  both  HIPAA  and 
GLBA. 

Traces  Our  execution  model  consists  of  several  agents  or  principals  p,  q  in  changing  roles  r,  performing 
actions  concurrently,  resulting  in  a  finite  sequence  of  states  sosi  ■  •  ■  sn ,  also  called  a  trace  a.  Each  state 

is  derived  from  the  previous  state  .s,  through  a  stipulated  transition  relation  s  s',  where  a(s)  describes 
the  actions  performed  by  the  various  agents  in  state  s.  A  state  s  is  a  tuple  (k(s),  pA(s),  pB (s),a(s),T(s),  i(s)). 
Briefly,  n(s)  maps  each  agent  to  its  knowledge  of  private  information  (a  formal  description  of  knowledge  is 
omitted  here  -  see  the  related  technical  report  [20]  for  details);  pA(s)  is  a  function  that  maps  each  agent 
to  the  role  in  which  it  is  active  in  state  s;  pB(s)  is  a  function  from  agents  to  sets  of  roles  that  specifies  the 
potential  roles  in  which  each  agent  may  be  active  in  future;  a(s)  is  the  set  of  actions  performed  by  agents  in 
state  s  that  cause  a  transition  to  the  next  state  on  the  trace;  r(s)  is  the  time  point  associated  with  the  state 
(described  in  detail  below);  and  l(s)  is  an  interpretation  of  predicates  in  state  s  that  maps  each  predicate 
symbol  P  in  the  signature  of  the  logic  to  a  set  of  tuples  of  terms  over  a  domain  D.  D  must  include,  at 
the  least,  principals,  roles,  time  points,  attributes  and  purposes  (explained  in  Section  3),  and  messages  that 
agents  may  send  to  each  other. 

Interpretation  on  traces  To  interpret  formulas  of  LFP  over  traces,  we  restrict  ourselves  to  a  fragment 
of  the  logic  in  which  the  first  argument  of  every  atomic  formula  is  the  state  in  which  the  formula  is  to 
be  interpreted,  so  each  atomic  formula  has  the  form  P(s,f)  or  X(s1t).  Given  a  trace  <r.  we  define  the 
interpretation  Ia  by  saying  that  (s,d)  £  Z<r(P)  if  and  only  if  d  £  l(s)(P).  Finally,  we  define  6\  a  \=  ip  to 
mean  9]Ia  \=  ip  (the  latter  relation  was  defined  in  Section  2.1).  This  approach  to  interpreting  formulas 
against  traces  by  making  state  explicit  in  formulas  is  inspired  by  work  on  hybrid  modal  logics  [12,  14,  16]. 
It  differs  from  semantic  relations  in  temporal  logic  where  formulas  do  not  explicitly  mention  state  but  the 
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semantic  relation  takes  the  state  as  an  argument  (it  has  the  form  d;cr;s  |=  <p).  Our  approach  is  more 
expressive  than  temporal  logic  because  it  allows  us  to  compare  states  and  check  their  properties  through 
predicates  in  the  logic.  The  predicate  s  <st  s'  means  that  state  s  occurs  before  state  s'  in  the  trace  of 
interpretation,  while  the  function  next(s)  returns  the  state  following  s. 

Real  Time  Privacy  laws,  including  HIPAA  and  GLBA,  often  contain  references  to  durations  of  real  time. 
To  represent  wall-clock  time  in  the  logic,  we  follow  prior  work  by  Alur  and  Henzinger  [2]  and  assume  that  each 
state  s  is  associated  with  a  time  point  r(s),  which  can  be  obtained  in  the  logic  through  the  function  symbol 
tirne(s).  We  assume  standard  operators  <,  +,  — ,  etc.  on  time  points  and  require  that  for  consecutive  states  S{ 
and  Sj+i  on  a  trace,  time(si)  <  time(sj+i).  As  a  result,  s  <st  s'  in  the  logic  if  and  only  if  time(s)  <  time(s'). 
To  make  it  easier  to  access  the  wall-clock  time,  we  include  the  so-called  freeze  quantifier  \,x.(f>  of  TPTL  in 
PrivacyLFP  (Section  2.3).  \.x.<p  binds  the  time  of  interpretation  to  x  in  <p.  Several  examples  of  the  use  of 
real  time  in  privacy  laws  are  presented  in  Section  3. 


2.3  PrivacyLFP:  LFP  +  Temporal  Operators 


The  logic  PrivacyLFP  consists  of  an  expanded  syntax  for  LFP  and  is  interpreted  over  the  model  defined  in 
Section  2.2  through  a  translation  to  LFP,  which  we  present  in  this  section.  The  need  for  an  expanded  syntax 
is  motivated  by  two  reasons.  First,  the  expanded  syntax  includes  several  operators  of  linear  time  temporal 
logic  (LTL)  [26]  as  well  as  the  freeze  quantifier  \.x.ip  of  Alur  and  Henzinger  [2],  all  of  which  make  it  easier 
to  represent  time  and  relative  order  of  events  in  privacy  policies.  Second,  the  expanded  syntax  elides  the 
need  to  list  the  state  of  interpretation  explicitly  in  each  predicate  (which  we  introduced  in  Section  2.2  to 
allow  interpretation  of  formulas  on  traces),  because  its  translation  to  LFP  is  parametrized  by  the  state  of 
interpretation  and  embeds  that  state  as  the  first  argument  of  each  atomic  formula  automatically. 

Formulas  in  PrivacyLFP  are  denoted  cp,  ip.  They  include  all  connectives  of  LFP,  standard  linear  temporal 
logic  operators:  <Q>cp  (<p  holds  in  some  future  state),  <§>cp  (<p  holds  in  some  past  state),  \3<P  (<p  holds  in  every 
future  state),  □<(>(</>  holds  in  every  past  state),  G  cp  (cp  holds  in  every  state),  (pU  ip  (ip  holds  eventually 
and  <p  holds  until  then) ,  <p  S  ip  (ip  held  in  the  past  and  (p  holds  since  then) ,  and  (pW  ip  (cp  holds  forever  or 
until  ip  holds)  as  well  the  “freeze”  quantifier  \.x.(p  which  binds  to  x  in  <p  the  time  of  interpretation.  The 
meaning  of  PrivacyLFP  formulas  is  defined  by  the  function  ((p)&s  which  translates,  at  state  s,  a  formula  (p 
in  PrivacyLFP  to  a  formula  in  LFP. 


(P(i)f* 

A_ 

p(Ml 

((vX(x).<p)(i)fs 

A_ 

(i/X(y,x).<p@v)(s,t) 

(0<Pfs 

A_ 

3 s',  (a  <st  s')  A  <P@S' 

(^<P)&S 

A_ 

3s'.  (s'  <st  s)  A  (p®s 

A_ 

Vs',  (s  <st  s')  D  <P@S’ 

(BPfs 

A_ 

Vs',  (s'  <st  s)  D 

(G  0)®s 

A_ 

Vs'.0®s' 

(cpUipf* 

A_ 

3s'.  (s  <st  s')  A  iP@s' 

(<psipfs 

A_ 

3s'.  (s'  <st  s)  A  iP@s' 

(<pWiP)®s 

A_ 

(□0)®s  V  (<pUiP)&s 

(0<P)@S 

A_ 

0@next(s) 

(lx.<p)@s 

A_ 

([time(s)/a:](^)®s 

(s  <st  a")  A  (a"  <st  s')  D  <p@s ") 
(s'  <st  s")  A  (s”  <st  s)  D  <P®S") 


In  the  sequel,  we  represent  policies  and  responsibilities  in  PrivacyLFP  but  owing  to  its  definability  in  LFP, 
develop  analysis  methods  (proof  theory  and  model  checking  in  Section  5)  for  LFP  only. 


3  Case  Studies:  GLBA  and  HIPAA 

Our  choice  of  the  logic  PrivacyLFP  for  analysis  of  privacy  laws  and  policies  is  based  on  two  real-life  case 
studies  wherein  we  represent  (in  PrivacyLFP)  all  the  privacy-relevant  sections  of  the  Gramm-Leach-Bliley 
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Act  (GLBA)  [32]  that  regulates  disclosures  of  private  information  in  financial  institutions  like  banks  and 
the  Health  Insurance  Portability  and  Accountability  Act  (HIPAA)  [33]  that  regulates  protected  health  in¬ 
formation.  To  the  best  of  our  knowledge,  these  are  the  most  complete  formalizations  of  GLBA  or  HIPAA 
in  a  formal  logic  or  language  to  date.  Both  our  case  studies  are  substantial:  the  encoding  of  GLBA  spans 
13  pages,  while  that  of  HIPAA  requires  over  100  pages  (both  page  counts  include  explanations  of  logical 
formulas).  Although  the  details  of  these  formalizations  are  the  subject  of  a  separate  technical  report  [20], 
we  briefly  discuss  salient  points  of  the  case  studies  and  use  examples  from  them  to  illustrate  the  use  of 
PrivacyLFP  in  formalizing  privacy  regulations. 

The  Gramm-Leach-Bliley  Act  (GLBA)  Our  formalization  of  GLBA  covers  §6802  and  §6803  of  the 
law  and  relies  on  §6809  for  definitions  of  key  concepts.  §6802  describes  several  conditions,  all  of  which  must 
hold  in  order  for  a  disclosure  of  a  client’s  private  information  by  a  financial  institution  to  be  considered  legal. 
Borrowing  terms  from  prior  work  on  LPU,  we  call  such  conditions  negative  norms ,  symbolically  denoted  . 
(In  contrast,  positive  norms  tp+  are  conditions  of  which  any  one  must  hold  in  order  for  a  transaction  to 
be  considered  legal.  GLBA  does  not  have  any  positive  norms  but  HIPAA  does  as  we  explain  later.)  §6803 
pertains  to  disclosures  that  a  financial  institution  must  make  to  its  clients,  e.g,  every  financial  institution 
must  remind  all  customers  of  its  privacy  policies  annually  (§6803(a)).  Finally,  §6809  defines  transmissions 
that  are  covered  under  this  law.  Roughly,  it  states  that  even  transmissions  made  by  principals  acting  on 
behalf  of  a  financial  institution  (e.g,  disclosures  by  a  financial  institution’s  attorneys)  are  covered  under 
the  law.  To  account  for  this,  we  define  a  macro  hlsend(p] ,  p2.  rri)  which  intuitively  means  that  someone 
acting  on  behalf  of  pi  sends  message  m  to  someone  acting  on  behalf  of  P2  and  write  our  formalization 
using  this  predicate  instead  of  the  expected  predicate  send(pi,p2,  to),  which  means  that  p\  sends  message 
to  to  P2  ■  The  overall  formalization  of  GLBA  takes  the  form  shown  below.  The  formalization  retains  the 
structure  of  the  law;  subscripts  on  various  <p’s  are  corresponding  clause  numbers  from  the  text  of  the  law. 
Formula  contains(m,  q ,  t)  means  that  message  to  contains  information  about  attribute  t  of  subject  q ,  e.g, 
contains(TO,  address ,  Alice)  means  that  message  to  contains  Alice’s  address;  info(d,  u )  is  the  message  obtained 
by  tagging  the  raw  data  d  with  purpose  u  (e.g,  billing);  beginrole(g,  r)  means  that  principal  q  begins  to  belong 
to  role  r. 

G  ( (Vpi , p'2 ,  rri. .  hlsend (p\ , p'2 ,  m! )  D 
(^maysend(pi  ,p2,m). 

Vd,  u,  q,  t.  (to  =  info(d,  u))  A  contains(TO,  q,  t )  D  ^(Tsosae  A  Ve so2be  A  Veemc  A  ¥>M02d)(p'nfJ2> m' ))  A 

(Vg,p,  r.  beginrole(<7,  r)  A  (r  =  customer(p))  D  <^803a  V  </4so3di)) 

Parts  of  the  formalization  corresponding  to  §6802  and  §6803  are  separated  by  a  horizontal  line  for  readability. 
The  part  above  the  line  states  that  p\  may  send  message  m!  to  p'2  only  if  maysend^,^,  m')  holds,  where  the 
predicate  maysend(pi,p2,  to)  (or  the  permission  to  send)  is  defined  recursively  as  a  greatest  fixed  point  over 
the  negative  norms  g>eso2ae  "  (/56802d  °f  the  law-  The  fixed-point  is  needed  because,  as  discussed  in  Section  2, 
^ 6802c  mentions  maysend  again.  The  part  below  the  line  formalizes  §6803;  it  states  that  if  principal  q  enters 
into  a  customer  relationship  with  financial  institution  p ,  then  p  must  make  certain  privacy-related  disclosures 
to  q1  as  codified  in  the  norm  (pf803SL-  The  norm  <^^803dl  is  an  exception  to  these  required  disclosures  and  is 
therefore  marked  with  the  opposite  polarity  +.  As  illustrations,  we  show  the  formulas  Peso2c  and  ^6803a-  The 
former,  §6802,  was  mentioned  as  the  motivating  example  for  fixed-points  in  Section  2.  Readers  may  wish  to 
revisit  Section  2  for  the  legal  text  of  the  clause.  Formula  activerole(p,  r)  means  that  p  is  active  in  the  role 
r;  belongstorole(p,  r)  means  that  p  is  affiliated  with  role  r  but  may  not  be  acting  in  it  in  the  current  state; 
and  t  Gj-  npi  means  that  attribute  t  would  generally  not  be  public  information,  e.g,  social-security  number. 

^ 6802c  ~  Vp',to".  -iactiverole(pi,  affiliate (p'))  A 
(-iactiverole(p2,  affiliate(jp'))  A 
->activerole(p2,  affiliate  (Pi)))  A 

(t  Gj-  npi)  A 
<$>(hlsend(p',pi,  to")  A 
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contains  (to",  q,t)  A 
activerole(p',  institution )  A 
^activerole(pi,  affiliate(p'))  A 
belongstorole(<7,  consumer  (p')))  D 
<3>  maysend  (p' ,  P2 ,  to"  ) 

In  conjunction  with  the  overall  formula  for  GLBA,  this  norm  means  that  principal  p\  has  permission  to 
send  message  to  containing  attribute  t  about  q  (from  which  some  npi  or  nonpublic  protected  information 
about  q  can  be  inferred)  to  P2  only  if  for  every  message  to"  containing  ( q ,  t)  that  P2  received  from  some 
non-affiliate  p'  in  the  past,  it  is  also  the  case  that  p'  had  permission  to  send  to"  to  P2  directly.  The  fact 
that  pi’s  permission  to  send  is  dependent  on  p's  permission  to  send  is  represented  through  the  greatest-fixed 
point  which  defines  the  predicate  maysend  in  the  top-level  formula. 

The  second  norm  we  illustrate,  §6803a,  highlights  the  use  of  clock  time.  Its  legal  description  and  formal¬ 
ization  are: 

At  the  time  of  establishing  a  customer  relationship  with  a  consumer  and  not  less  than  annually 
during  the  continuation  of  such  relationship,  a  financial  institution  shall  provide  a  clear  and 
conspicuous  disclosure  to  such  consumer  [...],  of  such  financial  institution’s  policies  and  practices 
with  respect  to  [disclosing  nonpublic  personal  information] . 

¥>6803a  -  (3m".  hlsend(pi,  q,  to")  A 

is-annual-notice(TO",pi,  q))  A 

((|z.  0(4-2/-  (V  <  x  +  365)  A 

((3 to".  hlsend(pi,  q,  m")  A 

is-annual-notice(m",pi,  q))  V 
endrole(g,  customer{p\ )))))  W 
endrole(g,  customer  (pi))) 

Together  with  the  overall  specification  of  GLBA,  this  norm  requires  that  a  financial  firm  p  send  an  annual 
notice  of  its  privacy  policies  (represented  by  to")  to  a  customer  when  the  customer  establishes  a  relationship 
with  p  and  subsequently  every  year  unless  the  relationship  ends.  Real  time,  expressed  through  the  sequence 
of  operators  \,x.  0(0-  (v  5=  x  +  365)  A  . . .)  ensures  that,  for  every  state  x.  there  exists  a  state  y  occurring 
no  more  than  365  days  later  in  which  the  annual  notice  is  sent. 

The  Health  Insurance  Portability  and  Accountability  Act  (HIPAA)  For  HIPAA,  we  formalize 
§164.502,  §164.506,  §164.508,  §164.510,  §164.512,  §164.514,  and  §164.524  of  the  CFR.  §164.502-§164.514 
define  conditions  when  a  covered  entity,  which  is  the  HIPAA  abstraction  for  an  organization  or  individual 
that  handles  private  health  information,  may  disclose  such  information  to  other  principals.  In  general, 
disclosures  are  allowed  for  purposes  of  treatment,  for  adherence  to  law,  and  when  prior  consent  has  been 
obtained  from  the  subject  of  the  information  being  disclosed.  §164.524  specifies  rules  for  responding  to 
requests  for  health  information  by  patients.  Overall,  the  top-level  formula  for  HIPAA  has  the  following 
form.  (Formula  req_for_access(pi,  t)  is  a  request  by  principal  pi  that  attribute  t,  e.g,  labmesults ,  be  retrieved 
from  pi’s  medical  record  and  given  to  it.) 

G  (Vpi,p2,TO.  send(pi,p2,m)  D 

(Vd,  u,  q.  (to  =  info(d,  u))  A  contains(TO,  q,  t)  D  \A  p+  A  f\  ■  ip~)  A 

(Vt.  (to  req_for_access(pi,  t))  D  l/:,164.524b2i,  V  V5164.524b2ii')) 

iff  and  p-  represent  various  positive  and  negative  norms  to  permit  disclosures  defined  in  §164.502- 
§164.514.  Some  of  these  norms  are  listed  in  Figure  1.  We  mention  three  salient,  high-level  differences 
from  the  formalization  of  GLBA.  First,  the  formalization  of  HIPAA  does  not  require  fixed-point  operators, 
although  it  does  require  real  time,  e.g,  in  formulas  <^64.51202  an(i  ¥,i64.524b2i  in  Figure  1.  Second,  as  opposed 
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V’i64.502b2i  —  activerole(p2 ,  provider)  A  ( u  Gu  treatment) 

^164.50601  —  activerole(pi,  covered- entity)  A  (t  G-p  phi)  A 

((u  Gu  treatment  (pi))  V  [u  Gu  payment{p\))  V  (u  Gu  healthcare- operations  (pi))) 


^I64.si2c2  -  ix3m'.  (0send(pi,g,m')  V  0(4 -V-  (y  <  x  +  cprompt)  A  send(pi,  q,  to')))  A 
is-notice-of-report(m', pi, P2,  (q,t),u) 

( Cpr0mpt  is  a  time  constant  that  captures  the  term  “promptly”  in  the  law’s  text) 

^164 . 524b2i  —  4-*-  accessible-on-site  (p2 >  (pi,t))  D  0(i?/-  {y  <  x  +  30)  A  (respond-164.524b2iA(p2,  (pi,t))  V 

respond-164.524b2iB(p2,  (pi, t)))) 


Figure  1:  Representative  norms  from  HIPAA  formalized  in  PrivacyLFP 


to  GLBA,  HIPAA  includes  positive  norms  as  well  (e.g,  <Pi"64.502b2i  and  Pi64.506ci)-  These  are  combined 
disjunctively  in  the  formalization  because  only  one  of  these  must  be  satisfied  to  permit  a  transmission. 
Finally,  permission  to  disclose  protected  health  information  under  HIPAA  is  often  contingent  upon  the 
purpose  (treatment,  payment,  health  care,  etc.)  of  the  disclosure,  but  HIPAA  does  not  regulate  that  the 
recipient  of  the  information  use  it  for  exactly  the  intended  purpose.  To  model  this,  we  assume  that  the 
sender  of  each  message  lists  its  purpose  in  the  message  -  messages  with  protected  health  information  have 
the  form  info(d,  u )  in  the  top-level  formula  above  where  d  is  the  data  content  and  u  its  purpose  -  and  allow 
the  norms  ipf  and  ip~  to  check  the  purpose  u  against  those  mentioned  in  HIPAA.  Examples  of  formulas 
with  such  checks  are  <Pi64.502b2i  and  ^164.50601  in  Figure  1.  The  predicate  u  Gu  u'  means  that  purpose  u  is 
a  specific  form  of  purpose  it',  e.g,  blood-test  Gu  treatment. 


4  Organizational  Process  Model 

In  Section  4.1,  we  model  organizational  processes  by  assigning  role-based  responsibilities  (expressed  in  Priva¬ 
cyLFP)  to  agents.  Specifically,  we  show  through  an  example  how  such  a  model  could  mirror  an  organization’s 
natural  hierarchy.  It  is  important  to  ensure  that  an  agent  can,  in  fact,  discharge  her  assigned  responsibil¬ 
ities.  In  Section  4.2,  we  present  examples  of  responsibilities  in  PrivacyLFP  that  can  never  be  discharged, 
and  then  go  on  to  provide  a  semantic  definition  of  locally  feasible  responsibilities,  which  can  be  discharged. 
To  aid  in  designing  organizational  processes,  we  also  present  easily  checkable,  sound  syntactic  characteriza¬ 
tions  of  responsibilities  that  meet  this  criterion,  associated  strategies,  and  results  about  composition  of  such 
responsibilities  (Theorems  4.2). 

4.1  Role-based  Responsibility 

We  model  organizational  processes  by  assigning  role-based  responsibilities  (expressed  in  PrivacyLFP)  to 
agents.  Agents  can  either  be  individuals,  organizational  units,  or  software  systems  (reference  monitors)  that 
aid  in  policy  enforcement.  The  responsibilities  of  human  agents  can  be  arbitrary  formulas  in  PrivacyLFP 
while  responsibilities  for  software  systems  should  not  contain  any  predicates  whose  truth  value  cannot  be 
automatically  determined  by  looking  at  a  trace  (e.g,  the  predicate  contains(m,  q,t)  predicate  from  Section  3). 

We  show  through  an  example  how  such  a  model  could  mirror  an  organization’s  natural  hierarchy.  Figure  2 
contains  an  illustration  of  the  processes  and  a  summary  of  the  policies  and  responsibilities  involved  in  this 
example.  The  high-level  policy  ippoi  resembles  the  first  half  of  the  top-level  formula  of  GLBA  from  Section  3, 
and  contains  simplified  policies  from  GLBA.  The  body  of  the  greatest  fixed-point  contains  the  conjunction 
of  two  negative  norms.  The  first  norm  states  that  p\  may  send  to  P2  message  to,  which  contains  information 
t  about  principal  q ,  only  if  in  the  past,  p\  has  sent  q  a  notice  of  disclosure.  The  second  negative  norm 


is  a  simplified  version  of  <p)r802c,  which  states  that  if  p\  ever  received  from  another  principal  p1 ,  a  message 
containing  the  same  information  t  about  principal  q ,  then  pi  may  disclose  this  information  to  P2  only  if  p'  is 
allowed  to  send  this  information  directly  to  P2  ■ 

Enforcing  <ppo;  requires  an  institution  to  determine  whether  another  institution  may  disclose  information. 
This  is  not  always  possible  since  an  institution  may  not  have  the  ability  to  observe  all  actions  performed  by 
other  principals.  An  alternative  is  to  allow  an  institution  pi  to  directly  send  a  message  and  ask  the  other 
institution  p2  whether  p2  may  disclose  a  certain  piece  of  information.  In  turn  pi  will  be  responsible  for 
answering  similar  queries  about  itself.  Such  a  process  can  be  modeled  by  two  responsibilities,  <pri  and  <pr 2. 
ipri  states  that  pi  can  send  a  message  to  P2  only  if  there  was  a  notice  of  disclosure,  and  if  pi  received  the 
information  from  p' ,  then  p'  must  have  replied  to  pi’s  query  and  confirmed  that  p'  can  send  the  message 
directly.  ipr 2  requires  that  whenever  pi  replies  to  P2 ,  Pi  indeed  is  allowed  to  send  the  information.  Notice 
that  the  conditions  under  which  pi  is  allowed  to  reply  are  the  same  as  those  under  which  pi  may  disclose 
the  information. 

The  picture  at  the  top  of  Figure  2  illustrates  the  internal  processes  of  an  institution  P.  There  are  three 
departments:  a  disclosure  department  (D),  which  is  in  charge  of  sending  disclosures;  a  main  send  and  receive 
department  (SR),  which  is  in  charge  of  sending  and  receiving  messages  outside  P ;  and  a  query  and  reply 
department  ( QR ),  which  is  in  charge  of  querying  another  institution  whether  certain  information  can  be 
sent,  and  answering  similar  queries  from  other  institutions.  SR  decides  whether  a  send  is  allowed  or  not  by 
asking  the  disclosure  department  if  it  has  sent  a  disclosure,  and  if  SR  wants  to  forward  a  message  it  received 
from  another  institution,  it  asks  QR  whether  that  institution  could  send  that  information  directly. 

Each  of  these  three  department  is  modeled  by  its  responsibilities,  which  are  represented  using  logical 
formulas.  We  selectively  list  some  of  the  formulas  in  the  figure.  In  the  next  section,  we  present  policy 
enforcement  techniques  using  which  we  can  show  that  D,  SR,  and  QR  departments  together  fulfill  P’s 
responsibilities  tpr±  and  ipr 2  and  that  if  all  institutions  fulfill  their  responsibilities,  they  collectively  comply 
with  the  high-level  policy  ippoi. 

4.2  Locally  Feasible  Responsibilities 

An  agent  should  be  assigned  responsibilities  that  can  be  discharged  using  her  capabilities.  Typically,  an 
agent  may  not  be  able  to  observe  all  actions  of  other  agents,  or  cause  another  agent  to  perform  an  action. 
Consider  the  following  responsibilities  assigned  to  agent  p: 

(fi  =  Vc,  m.<3>send(c,p,  m)  D  3m' .send(b,c,m'). 

1P2  =\/m.<Q>send(b,p,m)  D  3m'. send (p,  c,  m') 

ipi  requires  an  agent  b  to  send  a  message  to  c  if  c  has  sent  a  message  to  p.  p  cannot  fulfill  this  responsibility 
because  she  does  not  have  the  power  to  cause  b  to  send  a  message.  ip2  requires  p  to  send  a  message  vn!  to 
c  if  in  the  future,  b  sends  a  message  to  p.  p  cannot  fulfill  this  responsibility  because  she  cannot  predict  the 
future. 

Intuitively,  a  reasonable  responsibility  for  an  agent  p  has  to  be  local  in  the  sense  that  it  only  depends  on 
histories  of  the  system  execution  observable  by  p,  and  it  has  to  be  feasible  in  the  sense  that  p  has  a  strategy 
to  fulfill  it  using  only  her  own  actions.  We  make  this  intuition  precise  in  the  following  definitions. 

Definitions  To  talk  about  p’s  plans  to  fulfill  her  responsibilities,  we  define  planned  traces  a,  which  contain 
planned  inactions.  We  write  —>a  to  denote  a  function  that  map  states  to  a  set  of  inactions  in  that  state.  A 
state  in  a  planned  trace  is  a  tuple  (k(s),  p(s),a(s),  -<a(s),T(s),i(s)).  If  send (p,q,m)  £  _|a(s),  then  in  state 
s,  p  does  not  send  q  message  m.  Other  elements  in  a  have  the  same  meaning  as  those  in  ordinary  traces 
(Section  2.2). 

A  planned  trace  <7  is  well  formed  if  a(s)  0  -1  a(s)  =  0.  It  is  important  to  include  these  inactions  in  a 
because  they  help  us  detect  inconsistencies  between  an  agent’s  plans  in  different  states.  We  define  a  function 
Tr(a)  to  convert  if  to  a  normal  trace.  This  function  simply  erases  all  parts  of  the  trace  associated  with 
inactions. 
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Overall  privacy  policy 

Vpoi  =  GVpi ,  p2 ,  m! .  hlsend (pi ,  p'2 ,  m!)  D 
( mnaysend  (pi ,  P2 ,  to)  . 

Vg,  t.  contains  (in,  q,  t)  D 

(<$>  hlsend  (pi  ,  g,  f  .dis{pi1p2l  q,  t)  A 

Vp',  to". hlsend (p',pi,  to")  A  contains(m",  q,  t)  D 

O  nraysend  (p' ,  p2 ,  m" ) )  (pi  ,p2,m')) 

Responsibilities  for  an  institution  (note:  there  is  no  use  of  fixed-points) 

<pr  1=  G  Vpi,p2,m.  hlsend (pi,p2,  to)  d 
Vg,  t.  contains(m,  g,  i)  D 
(<$>  hlsend  (pi,  q,  f.dis(p1,p2,q,  t))  A 
Vp',  m'.  hlsend  (p',pi,  m')  A  contains^',  g,  t)  D 
<$>send(p',pi,  f  .reply  .maysend{p'  ,p2,  rn'))) 


pr2=G  Vpi,po,p2,  to.  send(pi,p0,  f  .reply  .may  send(p\,p2,  m))  D 
Vg,t.contains(m,  g,  t)  D 
(<$>  hlsend  (pi,  g,  f.dis(pi,p2,q,  t))  A 
Vp', m'.hlsend(p,,pi, in')  A  contains(m/,  g,  i)  D 
<$>send(p/,p1,  f  .reply  .maysend(p'  ,p2,  rn!))) 

Responsibilities  for  P’s  internal  departments 

GVp',  m,  g,  t.  send(D,  PP,  / sent.dis(p' ,  g,  t)  D 
<3> hlsend (D,  g,  f.dis(p, p’,q,t)) 

PSR\=  GVp2,  m,  g,  t.  hlsend(PP,p2,  to)  A  contains(m,  g,  i)  D 
(<^send(D,  PP,  f.sent.dis(p2,q,  t))  A 
Vp/,TO,.hlsend(p/,SP,  to')  A  contains(m/,g,t)  D 
<3>send(QP,  PP,  f  .reply  .maysendl (p' ,p2,  to'))) 

(Psr2=  Vpi, m. send(PP,  QP,  f  .maysend(pi,m)  D 
(^>send(P,  PP,  f.sent.dis(pi,q ,  t))  A 
Vp',  to'. hlsend (p',  PP,  to')  A  contains(m',  g,  i)  D 
<$>send(QP,  PP,  f  .reply .maysendl (p' , pi,  m'))) 

‘Pqri—  GVpi,p2,  to.  send(QP,  PP,  f. reply. maysendl  {p\,p2,  to))  D 
<^send(pi,  QP,  / .reply .maysend(p\,p2,  to)) 

Pqr2=  Vpi,p2,  to.  send(QP, Pi,  f  -reply .maysend(p,p2,  to)  D 
(<~>send(PP,  QP,  f  .maysend(p2,  to)) 

Functions  such  as  / .dis{p\,p2,q1t)  generate  a  particular  kind  of  message.  For  instance,  f-dis(pi,p2,q,t)  is 

a  notice  of  disclosure  to  g  stating  that  pi  will  disclose  to  P2  information  t. 

Figure  2:  Example  Process 
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We  say  q  is  the  performer  of  P  t  if  q  can  perform  the  action  represented  by  predicate  P  t.  For  example, 
p  is  the  performer  of  send(p,  q,  to). 

We  write  a  \ i  to  denote  the  projection  of  a  up  to  the  ith  state.  We  write  a  \i-i=  0  to  mean  that  the 
domain  of  all  functions  defining  a  does  not  contain  any  state  that  is  earlier  than  state  i. 

We  write  cr|lj  to  denote  the  trace  that  is  the  same  as  a  except  that  it  only  contains  actions  and  inactions 
of  which  an  agent  in  S  is  a  performer.  We  write  dig  to  denote  the  trace  containing  only  the  parts  of  a  that 
are  observable  by  some  agent  in  S. 

We  say  i  is  in  the  domain  of  a  if  i  is  in  the  domain  of  all  the  functions  that  define  a. 

To  ensure  composition,  we  assume  that  all  agents  agree  on  the  smallest  increment  of  time  interval  i,  and 
we  only  consider  traces  where  for  each  state  i  and  i  +  1,  r(i  +  1)  =  r(i)  +  *.  A  starting  time  t0  for  state  0 
uniquely  determines  the  time  points  for  the  rest  of  the  states.  Given  r,  we  write  start(r)  to  denote  the  time 
point  at  state  0.  We  say  r  is  compatible  with  r'  if  start(r)  =  start{r'). 

We  write  a\  l±)  tJ2  to  denote  the  merge  of  a\  and  <72-  Intuitively,  it  is  obtained  by  taking  the  union  of 
knowledge  map,  role  sets,  action  sets  and  predicates  of  states  that  have  the  same  timestamp.  Let  us  use 
subscripts  1  to  index  functions  defining  a i  and  2  to  index  those  defining  a2.  The  merge  operation  is  well 
defined  only  if  for  all  states  i  that  are  in  the  domain  of  both  o\  and  a2,  i-e,  for  i  that  satisfy: 

•  Ti(i)  =  r2(i) 

•  Pi{i)  =  P2(i) 

•  ai(i)  fl  ~^a2(i)  =  0,  a2(i)  H  ^ai(i)  =  0 

Def.  (pr  is  local  to  a  set  of  agents  Sa  if  for  all  traces  a\  and  a2,  o\  |ga=  o2  |ga  implies  <Ti  1=  ipr  iff  (j2\=  (pr. 

(fr  is  local  to  a  set  of  agents  Sa  if  it  does  not  depend  on  states  that  are  not  observable  by  any  agent  in 
Sa. 

The  responsibilities  we  focus  on  have  the  form  G  ipr.  A  set  of  responsibilities  $  is  feasible  for  a  group  of 
agents  Sa  if  agents  in  Sa  collectively  have  a  strategy  to  cause  each  (pr  in  $  to  be  true  at  every  state  i,  and 
future  actions  will  not  affect  the  validity  of  (pr  at  i. 

Def.  A  set  of  responsibilities  $  is  feasible  for  a  set  of  agents  Sa  if  for  all  j  the  following  holds 
wo,H(a0,0,  Sa,t0)  D 

“,F((Tq  a,  0,  Sa ,  t0)  A  cto  tfcl  &o  a  is  well-defined 
V<t'  such  that  a'  |o=  0  A  o'  l±)  op  W  a  is  well-defined  D 
V  G  tpi  €  $,  Tr(d'  W  t?o  tt)  ay  a),  0  t=  y>i  A 
ySi,H(Si,  1,  Sa,  to)  D 

3afa,F(afa,  1,  Sa,  to)  A  cto  W  (Jq  °  W  cy  W  dfa  is  well-defined 
Vcf'  such  that  a1  |i=  0  A  a'  l±)  do  W  5(fa  W  ay  l±)  <rfa  is  well-defined  D 
V  G  ipi  £  $,  Trfa1  W  a0  W  (Tg  a  tt)  Sq  tt)  trfa),  1  t=  ipi  A 


Vaj,H(aj,j,Sa,t0)  D 
3 dfa,F{dfa,j,  Sa,  to)  A 

Wfc=o  ^  a  is  well-defined 

Ver'  such  that  a'  \j=  0  A  a1  tt)  l+l^=0  c?k  W  ufa  is  well-defined  D 
V  G  ifii  e  $,  Tr(a'  tt)  1+|^,=0  ak  tt)  dka),j  t=  m 

where  H (a,  k,  Sa,to)  is  true  when  the  domain  of  a  contains  only  state  k,  a  does  not  contain  any  actions  from 
any  agent  in  Sa  and  to  is  the  time  point  for  state  0  according  to  r.  F(a,k,  Sa,to)  is  true  when  a  contains 
only  actions  from  agents  in  Sa,  and  all  the  planned  actions  are  for  states  no  earlier  than  k,  and  to  is  the 
time  point  for  state  0  according  to  r.  More  formal  definitions  can  be  found  in  Figure  6. 

In  the  above  definition,  cq  are  actions  by  agents  other  than  those  in  Sa  at  state  i,  and  afa  are  actions 
by  agents  in  Sa.  The  alternating  V  and  3  quantification  ensures  that  given  any  actions  by  agents  not  in  Sa, 
agents  in  Sa  have  a  way  to  cause  ifii  to  be  true  in  that  state,  and  any  future  extension  of  the  trace  will  not 
affect  the  validity  of  ipi  at  the  current  state.  The  condition  that  requires  [+J))=0  ak  W  cfk  a  to  be  well-defined 
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ensures  that  an  agent’s  current  decisions  should  not  conflict  with  any  of  her  past  decisions.  Finally,  given 
any  o'  that  only  concerns  states  later  than  j .  the  merge  of  o'  and  all  the  planned  traces  by  agents  in  Sa 
(t?f°)  and  all  the  planned  traces  by  agents  not  in  Sa  (ok)  satisfies  all  the  responsibilities  in  $  at  state  j.  The 
use  of  o'  is  to  ensure  that  once  agents  in  Sa  have  decided  on  a  strategy  at  state  j,  all  the  responsibilities  in 
<I>  should  still  hold  at  state  j  no  matter  what  happens  in  the  future. 

Feasibility  Theorems  In  the  case  studies  of  HIPAA  and  GLBA,  all  the  policies  are  or  can  be  rewritten 
into  two  general  forms.  One  expresses  conditions  on  performing  an  action  (e.g,  §6802  of  GLBA);  the  other 
expresses  future  obligation  (e.g,  §6803  of  GLBA). 

Based  on  this  observation,  we  investigate  the  local  feasibility  conditions  for  responsibilities  that  have  the 
following  syntactic  structure. 


(rl)  G  (\/x.ip~(p)  D  (fipast) 

(r2)  G  (Vx.ifipast  D  <P/(p)) 

(r3)  G  ( yx.ifipast  D  pj  ( p )) 

We  write  ppast  to  denote  formulas  that  do  not  contain  future  operators.  ppast  captures  conditions  on 
the  history  of  the  system  execution.  Responsibilities  in  (rl)  require  an  agent  to  not  perform  actions  in  the 
current  state  unless  ppast  holds.  Responsibilities  in  (r2)  require  an  agent  to  fulfill  obligations  if  ppast  holds. 
Responsibilities  in  (r3)  require  an  agent  to  not  perform  future  actions  if  ppast  holds.  We  define  the  syntactic 
constructs  used  in  (rl)  -  (r3)  below. 


Conditions 

Kp(x ) 

:  =  contains(x,  q,  t)  \ 

|  F(f)AF(f)  |  Kp(x)  V  Kp(x)  |  3y.Kp(x,y) 

Actions 

Ap 

:  =  send(p,  g,  to)  |  •  •  • 

Current  Neg  Form 

Pc(p) 

:=  -L  |  Ap  |  p~(p)  Ap  |  p-(p)Vp~(p)  |  3x.p~(p) 

Future  Pos  Form 

P/(p) 

:=  T  |  Ap  |  p+  (p)  A  p+f  (p)  |  p £  (p)  V  p 
|  3x.Kp(x)  A  pj  (p)  |  Ix.pf  (p) 

1  OP/(p)  1  Opi(p)  |  pi (p)  U  pf(p) 

|  04-Z-  c(x)  A  pj  (p)  |  pj  (p)  U  {lx.  c{x)  A  p (p)) 

Future  Neg  Form 

P](p) 

:  :  =  T  |  ~^AP  \  pj  (p)  A  p~f  (p)  |  p~f  (p)  V  p 

1  ix.pj{p)  |  lx.pj{p) 

1  Op]  ( p )  I  Opj  (p)  |  pj  (p)  u  pj  (p) 

i  c(x )  a  p]  (p)  i  pj  (p)  u  dx-  c(x )  a  p]  ( p )) 

( p )  includes  formulas  that  p  can  cause  to  be  false  by  planning  inactions  in  the  current  state.  The  base 
case  for  <p“(p)  is  Ap,  which  denotes  an  action  of  which  p  is  a  performer  (e.g,  send (p,  &,  ?n)).  Agent  p  can 
cause  send(p,  b,  to)  to  be  false  in  the  current  state  by  not  sending  b  message  m.  p^  (p)  is  similar  to  p~  (p) 
and  it  includes  all  future  operators.  These  are  formulas  that  p  can  cause  to  be  true  by  planning  actions  in 
future  states  (e.g,  ^send (p,  &,  m)).  Finally,  p]{p)  also  contains  future  operators,  but  the  base  case  is  ~^AP. 
These  are  formulas  that  a  can  cause  to  be  true  by  planning  inactions  in  future  states  (e.g,  ^-'Send(p,  6,  m)). 

In  the  definition  of  p~^ ,  existentially  quantified  variables  are  guarded  by  predicates  I\p(x).  Kp(x)  are 
formulas  that  p  can  provide  a  substitution  6  for  x  such  that  6{Kp{x))  is  true  and  supported  by  p’s  knowledge, 
e.g,  contains(m,  •  •  • ). 

Finally,  variables  bound  by  the  freeze  operator  are  guarded  by  an  inequality  constraint  on  the  time  points 
x  (c(a:)).  We  use  them  to  rule  out  nonsensical  formula  such  as  lx.<yiy.(y  <  x)  A  p  (y  should  only  refer  to 
time  points  no  earlier  than  x  because  y  shows  up  under  a  future  operator). 

We  decide  not  to  include  all  forms  of  quantification  in  p~ ,  p~j  and  pj .  For  (rl),  it  makes  little  sense 
to  have  a  universal  quantification  to  the  left  of  the  implication,  which  means  that  if  all  instances  of  some 
action  occur  on  the  trace,  then  some  condition  has  to  hold.  Our  case  studies  also  supports  this  decision. 
The  universal  quantifiers  in  p^  (p),  can  be  moved  to  the  top-level  in  (r2).  Finally,  pj  talks  about  inactions, 
so  it  doesn’t  make  sense  to  have  an  obligation  that  requires  an  agent  to  selectively  not  perform  an  action. 
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We  build  up  our  theorems  about  feasibility  from  a  single  responsibility  to  composition  of  responsibilities 
for  a  single  agent  to  the  composition  of  responsibilities  for  a  group  of  agents.  The  proofs  are  constructive: 
they  provide  concrete  plans  for  agents  to  discharge  their  responsibilities.  (Details  of  proofs  and  auxiliary 
judgments  used  in  theorems  are  in  Appendix  D). 

Theorem  4.1  (Feasibility  of  one  responsibility). 

(rl)  G  (\/x.p~(p)  D  (ppast )  is  feasible  for  agent  p 
(r2)  G  (Vx.ifpast  13  tp-f  ( p ))  is  feasible  for  agent  p 

if  I-  Ppast  fin,  •;  •  b  (fif  (p)  sat  and  Af(pf  (p))  h  ppast 
(r3)  G  ( yx.ppast  D  pf  (p))  is  feasible  for  p  if  •  I ~  pf (p)  sat 

(rl)  is  trivially  feasible  by  planning  inactions  in  all  states;  (r2)  is  feasible  by  planning  only  actions 
required  by  pjl  when  ppast  is  true;  and  (r3)  is  feasible  by  planning  inactions  required  by  pj  in  all  states. 
The  conditions  ppast,  only  depend  on  the  history  of  the  trace,  so  at  each  state  p  can  decide  whether  or  not 
these  conditions  hold;  thus,  no  future  prediction  is  required. 

There  are  several  subtle  conditions  in  (r2).  Judgment  h  ppast  fin  ensures  that  for  any  given  trace,  there 
exists  only  finite  number  of  substitutions  <5  for  f v(<ppQSt)  such  that  6ppast  holds.  This  condition  allows  p  to 
plan  only  a  finite  number  of  actions  in  each  state.  Judgment  _4/(<pj  (p))  h  ppast  holds  when  actions  required 
by  p^  (p)  do  not  overlap  with  actions  that  ppast  depends  on.  We  need  to  make  sure  that  the  actions  p  has 
planned  will  not  cause  more  ppast  to  be  true;  in  which  case,  it  is  not  obvious  whether  p  only  needs  to  perform 
a  finite  number  of  actions.  For  instance  pr  =  Wm.  send (p,q,m)  D  send(p,  g,  (?n,  m))  is  not  feasible  for  p 
because  p  needs  to  perform  an  infinite  number  of  send  actions  although  it  fits  the  syntactic  form  presented  in 
(r2).  Finally,  the  judgment  S;rh^  sat  checks  whether  all  the  time  points  introduced  by  the  freeze  operators 
in  p^(p)  are  sensible.  For  instance,  nonsensical  formulas  such  as  j ,x.<f}fy.(y  <  x)  A  p  are  ruled  out.  Note 
that  we  actually  cannot  decide  purely  syntactically  if  c(x )  is  satisfiable  or  not;  rules  for  E;T  b  p  sat  call  a 
theorem  prover  to  check  satisfiability  of  conditions. 

In  order  to  compose  plans  of  different  agents,  we  need  to  make  sure  that  an  agent  p’s  plan  is  not  affected 
by  changes  in  the  current  state  caused  by  another  agent  b.  Otherwise,  the  agents  would  not  be  able  to 
achieve  a  stable  state  without  computing  a  global  fixed  point  across  the  entire  group  or  imposing  a  global 
ordering  of  agents’  actions.  We  define  a  syntactic  check  on  a  past  formula,  written  p  b  p  StrictPast,  to  ensure 
that  all  the  current  actions  that  may  cause  p  to  be  true  are  completely  controlled  by  p.  Theorem  4.2  states 
that  a  group  of  agents  has  a  strategy  to  fulfill  a  set  of  responsibilities  if  each  of  them  can  fulfill  their  own 
responsibilities,  and  all  the  past  formulas  are  not  be  affected  by  current  actions  by  other  agents. 

Theorem  4.2  (Feasibility  composition  for  multi-agents).  Given  a  group  of  agents  Sa,  let  4>p  be  the  set  of 
responsibilities  for  p  £  Sa.  Assume  that  <hp  is  feasible  for  p.  If  for  each  pt  £  4>p,  one  of  the  following 
conditions  holds ,  then  the  union  of  4>p  for  all  p  £  Sa  is  feasible  for  Sa. 

1.  pi  =  GNx.p-  (p)  D  Ppast,  and  p  h  ppast  StrictPast 

2.  pi  =  GVf. ppast  3  <P~f(p),  and  p  h  ppast  StrictPast 

3.  pi  =  GWx.ppast  D  Pj (p),  and  p  h  ppast  StrictPast 

So  far,  we  have  assumed  that  an  agent  can  observe  all  actions  in  the  history,  but  this  is  not  true  in 
general.  An  agent  a  may  only  view  certain  part  of  the  state. 

Def.  We  say  that  p  is  visible  to  an  agent  a  if  all  the  atomic  predicates  in  p  describe  states  visible  to  a. 
Theorem  4.3.  If  p  is  visible  to  Sa  then  p  is  local  to  Sa. 

Theorem  4.3  and  Theorem  4.2  together  give  us  conditions  for  locally  feasible  responsibilities  for  a  set  of 
agents. 

Discussion  We  have  made  an  assumption  that  the  existence  of  states  is  visible  to  all  agents,  even  though 
certain  actions  in  those  states  are  not.  In  other  words,  all  agents  are  synchronized  in  lock-step.  This 
assumption  simplifies  the  definition  of  the  merge  of  two  traces  since  we  do  not  need  to  consider  inserting  a 
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state  from  one  trace  between  two  adjacent  states  on  the  other.  A  more  general  model  would  allow  agents 
to  be  completely  asynchronous,  and  the  merge  of  two  traces  to  be  defined  based  on  the  total  ordering  of 
time  points.  The  feasibility  theorems  given  here  allow  for  more  responsibilities  to  be  feasible  than  those  that 
would  be  allowed  in  the  more  general  case.  For  instance,  <$></?  D  send (p,q,m)  would  not  be  locally  feasible 
to  p  in  the  general  case,  because  p  has  no  way  of  satisfying  this  responsibility  in  states  that  are  not  visible 
to  p.  We  plan  to  investigate  the  classification  of  locally  feasible  responsibilities  in  the  asynchronous  case  in 
future  work. 


5  Privacy  Policy  Enforcement 

We  present  two  logic-based  methods  for  enforcing  privacy  policies.  Our  first  method  answers  the  question: 
Does  a  given  organizational  process  respect  a  given  privacy  policy?  This  method  is  based  on  a  sound  proof 
system  for  LFP  and  is  described  in  Section  5.1.  Although  the  proof  system  is  obtained  by  adapting  previous 
proof  systems  for  an  intuitionistic  logic  with  fixed-points,  /iLJ  [8,  17],  to  our  classical  logic  LFP,  we  believe 
that  its  soundness  with  respect  to  trace  semantics  is  a  new  result.  Our  second  enforcement  method  audits 
logs  of  organizational  activity  for  violations  of  principals’  assigned  responsibilities.  It  is  based  in  a  novel 
tableau-based  model  checking  procedure  for  LFP  that  we  present  and  prove  sound  in  Section  5.2.  Although 
we  develop  both  methods  for  LFP,  due  to  the  embedding  in  Section  2.3,  both  methods  apply  to  PrivacyLFP, 
as  illustrated  by  examples  here. 

5.1  Auditing  Organizational  Processes 

We  present  a  proof-theoretic  method  to  check  whether  a  given  organizational  process  respects  a  given  privacy 
policy.  We  assume  that  the  organizational  process  is  specified  in  terms  of  responsibilities  <pr\, . . . ,  <prn  of  the 
organization’s  principals.  The  privacy  policy  pp  is  also  assumed  to  be  specified  in  LFP.  It  may,  for  example, 
be  the  formalization  of  a  privacy  law  such  as  GLBA  or  HIPAA  from  Section  3.  Technically,  the  problem  is 

n 

that  of  establishing  the  entailment  ( ipctx  A  <prf)  D  <fip,  where  tpctx  relates  privacy  relevant  actions  in  the 

2  =  1 

organizational  process  to  their  counterparts  in  the  policy  (examples  of  such  formulas  appear  in  the  example 
at  the  end  of  this  section).  We  propose  the  use  of  a  proof  system  for  LFP  to  check  such  entailments.  We 
show  that  the  proof  system  is  sound  with  respect  to  the  semantics  of  LFP,  which,  together  with  the  above 
entailment,  ensures  that  if  principals  fulfill  their  respective  responsibilities  then  the  privacy  policy  is  not 
violated. 

Our  proof  system,  presented  in  the  sequence  calculus  style  of  Gentzen  [22],  establishes  hypothetical 
judgments  or  sequents  E;T  h  A,  where  T  and  A  are  sets  of  LFP  formulae  and  E  is  a  set  of  variables  that 
occur  free  in  them.  The  intuitive  meaning  of  E;  T  b  A  is  that  for  all  substitutions  6  for  variables  in  E,  A™ 

entails  \f  T9.  The  rules  of  inference  are  shown  in  Figure  3.  Rules  for  connectives  of  first-order  logic  are 
standard.  The  interesting  rules  are  those  for  fixed-point  operators,  all  of  which  are  adapted  from  similar 
calculi  for  the  intuitionistic  fixed-point  logic  /iLJ  by  Baelde  [8]  and  Clairambault  [17].  In  the  rules  pL  and 
izR,  if  is  an  arbitrary  formula.  The  rules  /tR  and  i/L  simply  unfold  the  fixed-points.  The  rules  pL  and  vTi 
encode  induction  and  co-induction  principles  for  the  least  and  the  greatest  fixed  point  operators  respectively. 
We  refer  the  reader  to  prior  work  [8,  17]  for  an  explanation  of  induction  and  co-induction,  but  illustrate  the 
use  of  the  rules  for  the  greatest-fixed  point  operator  in  proving  compliance  of  organizational  processes  with 
privacy  policies  through  an  example. 

Theorem  5.1  (Soundness  of  the  sequent  calculus).  7/E;  F  h  A  then  for  all  traces  a  and  for  all  substitutions 
9  with  dom(0)  =  E,  (9;  a  \=  /\T)  implies  (0;  a  \=  \J  A). 

Proof.  See  Appendix  B,  Lemma  B.l.  □ 
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£;F,  y\-  92,  A 
E;  F,  tfii,  <p2  F  A 


INIT 


E;  r,  <pi  A  992  I-  A 
E;  T  h  99,  A 


AL 


E;  T  h  T,  A 
E;  F  I—  9 9i,  A 


TR 


E;r,ih  a 


AL 


E;TI-y>i,A  E;FI-  992,A 


E;  T  h  ipi  A  992,  A 


AR 


E;  F  h  991  V  992,  A 

L  E,  o;  r  1-  99(0/3;},  A 

E;  r,  -.99  h  A  ’’’  E;  T  F  Vx.<p,  A 

E,  o;  T,  9 o{a/x}  h  A 


VR 


VR 


E;  r,  991  h  A  E;  F,  992  h  A 
E;  r,  991  V  922  h  A 

E;F^{tMhA  VL 


VL 


E;r,99l-  A 
E;  r  h  -199,  A 

E;  r  I-  ip{t/x},  A 


nR 


E;  F,  399.99  h  A 


3L 


E;  T,  Vs.yj  h  A  E;  F  h  399.99,  A 

E;  T  h  9>{/rX,  x.y/X}{t/x},  A 


3R 


E;  r  h  (iiX(x).(p)(t),  A 


/iR 


E;  r,  0(0/*} h  A  £,  y\ r,  <p{\x.ip/x}{y/x}  i-  F{y/*} 


s;r,  (nX(x).ip)(t)  f  a 

S;  r  h  -i/){f/x},  A  E,y;r,^{y/a}  b  tp{\x.i/)/X}{y/x} 

-  vR 


91L 


E;  T,  <p{vX,  x.ip/ X}{t/ x\  h  A 


E;  T  h  (uX(x).ip)(f),  A  E;  T,  (vX(x).ip)(t)  h  A 

Figure  3:  Sequent  calculus  for  LFP 


Z/L 


Continuing  the  example  from  Section  4.1,  we  would  like  to  audit  the  processes  shown  in  Figure  2.  First, 
we  need  to  formalize  connections  between  actions  of  internal  processes  with  their  counterparts  in  higher- 
level  responsibilities  -  we  need  to  establish  that  whenever  P  sends  a  disclosure,  it  comes  from  the  disclosure 
department  D  and  vice  versa.  This  is  encoded  in  the  formulas  <pctxi  and  (fictx 2  below.  (Similar  requirements 
for  the  other  two  departments  as  well,  but  this  suffices  for  our  illustration.) 

Vctx  1=  G  Vg,f,p'.hlsend(p,  q,  f  _dis(p,p' ,  q,t))  D 
hlsend(Z),  q,  f_dis(p,p',  q ,  t)) 

Vctx 2=  G  \/q,t:p'.hlsend(D,q,f_dis(p,p',q,t))  D 
hlsend(p,  q ,  f-dis(p,p ',  q,  t)) 

Auditing  the  processes  involves  discharging  the  following  two  proof  obligations,  where  92^  (i  =  1,2)  is  the 
formula  9 9rj  from  Figure  2  without  the  outermost  quantification  of  p\ ,  and  with  P  substituted  for  p\\  (1) 
0ri,<A-2  b  <Ppoh  and  (2)  fWSRi,  /\^QRi  b  A  We  illustrate  our  method  by  explaining 

briefly  a  proof  of  (1).  The  proof  relies  on  the  co-induction  principle  for  greatest-fixed  points  codified  in  the 
rule  z/R.  A  skeleton  of  the  proof  is  shown  in  Figure  4.  To  apply  the  rule  z/R,  we  need  an  appropriate  predicate 
0  that  validates  the  premises  of  the  rule.  Here,  an  appropriate  0  is  the  inner  body  of  ipr\  and  tpr 2. 

5.2  Auditing  Responsibilities 

Our  second  enforcement  method  is  an  auditing  technique  which  checks  logs  of  organizational  activity  for 
violations  of  principals’  assigned  responsibilities.  Formally,  the  problem  is  one  of  ensuring  that  a  trace  a 
(concretely  represented  as  a  log  of  past  activity  of  principals)  satisfies  each  responsibility,  i.e,  «;<7  |=  tpri  for 
each  responsibility  ^y^.1  Technically,  this  is  a  model  checking  problem,  so,  in  this  section,  we  develop  a  local 
model  checking  method  for  LFP  and  prove  it  sound.2  To  the  best  of  our  knowledge,  this  is  the  first  local 
model  checking  procedure  for  LFP.  Our  method  builds  on  prior  work  on  local  model  checking  for  the  modal 
/z-calculus  [24,  30,  34],  which  is  the  propositional  fragment  of  LFP.  The  modal  ^-calculus  is  interpreted  over 

1  •  is  our  notation  for  an  empty  set  or  an  empty  substitution.  Throughout  this  section,  we  work  only  in  formulas  without 
free  first-order  variables. 

2 A  model  checking  method  is  called  “local”  if  it  does  not  explicitly  compute  the  entire  interpretation  of  each  recursively 
defined  predicate. 
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ip(pi,P2,m)  =  Vg,  t.  contains(m,  g,  t)  D 

(^>hlsend(pi,  q,  f-dis(pi1p21  g,  t))  A  Vp',  TO'.hlsend(p',pi,  m')  A 
contains(m',  g,  t)  D  <3>send(p',pi,  f  -reply-maysend(p'  ,p2,  m'))) 


(<Pb  is  the  body  of  maysend) 


V'{p,,P2,m"/pi,P2,m}  h  i/j{p  ,p2,m" /pi,p2,m} 


INIT 


V?r2,  send(p,,pi,  f  .reply -may send (p1 , P2,  m")) 
b  ip{p  ,p2,m" /pi,p2,m} 


ip  b  Vg,  t.  contains(m,  g,  t)  D 

(<$>hlsend(pi,g,  f-dis(pi,p2,q,t)  A 
Vj/,  rrz/'.hlsend^pi,  m") 

A  contains(m,/,  g,  t)  D 

_ <$>V>{p/,P2,m"/pi,p2,m})) 

Pr2 ,  V’fr'i ,Pl2,rn'/p1,p2,  m} 
b  (i/maysend(pi ,P2,m).ipb)(p'1,p2,m') 

•  •  ■  {V-R,  ML,  V  R,  -<R,  V  L,  ->L} 

Prl,  Pr2  b  Ppol 


Figure  4:  Example  Proof  Tree 


Kripke  structures  and  the  objective  of  model  checking  for  it  is  to  find  for  each  recursively  defined  predicate, 
the  set  of  worlds  of  the  Kripke  structure  in  which  the  predicate  is  true.  The  key  insight  in  generalizing 
model  checking  from  the  modal  p-calculus  to  LFP  is  to  view  each  tuple  of  terms  as  a  world  and  to  relate 
satisfaction  relations  in  the  modal  /r-calculus  and  LFP  by  saying  that  the  world  t  satisfies  the  LFP  predicate 
P  if  and  only  if  P(t)  holds.  Given  this  insight,  our  model  checking  method  is  an  unsurprising  generalization 
of  Whiskers  method  [34]  for  model-checking  the  modal  /r-calculus. 

We  formalize  the  model-checking  procedure  as  semantic  tableaus.  We  work  only  in  NNF  formulas  (we 
showed  in  Section  2.1  that  every  LFP  formula  can  be  translated  to  NNF  through  DeMorgan’s  laws).  To 
deal  with  greatest  fixed-points  in  tableaus,  we  rely  on  equations,  which  have  the  form  X  =>  Ax.  <p  may 
mention  both  X  and  x).  Given  this  equation,  the  interpretation  of  X  is  the  largest  relation  that  equates  the 
two  sides  of  the  definition  X (x)  =  (p  semantically.  We  call  X  the  defined  variable  of  the  equation  and  x  the 
equation’s  parameters  and  <p  its  body.  A  list  of  equations  £  is  a  list  Ei, ,  En  with  the  constraints  that 
no  predicate  variable  be  defined  twice  in  the  list,  and  for  each  i,  the  body  of  Ei  may  not  mention  predicate 
variables  defined  in  Ei+ 1, . . . ,  En. 

Our  semantic  tableaus  work  with  formulas  without  first-order  variables  and  infer  judgments  of  the  form 
er;£ ;  A  b  ip,  where  A  is  a  set  of  pairs  of  the  form  X  :  S ,  which  intuitively  means  that  X  t  holds  for  each 
t  £  S  and  £  is  a  list  of  equations  that  defines  all  predicate  variables  free  in  A  and  ip.  ( S  is  a  finite  set  of 
tuples.)  a  is  an  interpretation  of  all  predicate  symbols  P  in  £,  A,  and  <p  given  to  us  as  a  trace  against  which 
we  are  auditing.  Roughly,  the  meaning  of  the  entire  judgment  is  that  p  is  true  in  the  interpretation  a  for 
predicate  symbols  and  the  largest  possible  interpretation  for  each  equation  that  also  includes  X  t  for  every 
X  :  S  £  A  and  t  £  S. 

To  check  that  •;  cr  |=  p,  the  tableau  procedure  starts  with  the  judgment  <r;  •;  •  b  ip  and  tries  to  construct  a 
derivation  by  applying  the  rules  of  Figure  5  backwards.  A  branch  closes  or  successfully  ends  when  it  matches 
a  rule  whose  premises  are  satisfiable  and  do  not  contain  the  symbol  b.  Most  of  the  rules  of  Figure  5  are 
straightforward  and  correspond  to  the  semantics  of  LFP.  The  interesting  rules  are  those  for  fixed  points.  The 
rule  for  (piX(x).ip)(t)  unrolls  the  fixed-point.  The  soundness  of  this  rule  is  a  consequence  of  the  semantics  of 
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[*T  cMP)  INIT  [*T  tUP) 

a;£;A\~Pt  cr;£;AI — i(Pi) 


cr;  £T;  A  b  T 


a-£;  A  b  yji  cr;£;Abp2 
cr;£;  A  h  A  ^2 


cr;  £;  A  b  tpi 
cr;f;  A  h  v?!  V  p2 


VI 


cr;  a;  a  1-  p± 


all  d  £  D.  (a;  £ ;  A  b  <p{d/;r}) 
cr;  £;  A  b  V:r.<p 


d£  D  cr;  £ ;  A  b  p{d/x)  a;  £]  A  \~  p{t/x}{(pX,  x.  p) / X} 

a;  £;  A  h  Bx.p  a;  £;  A  h  (pX(x).p)(t)  ^ 

cr;  £,  X  =>  Az.p;  A,  A  :  {}  b  A  t  (X  fresh)  [f|#  €  [  Sj* 

- = -  v  - =,AT 

a;£;  A\-  (i/X(x).p)(t)  a- £;  A,  X  :  S  \~  X  t 

[*Tg[S]r  (X^Xx.p)e£  a;£;A,X  :SU{t}hp{t/x}  ^ 

a;£;A,X:S\~Xt 


Figure  5:  Semantic  tableau  for  model-checking  LFP.  The  rules  are  applied  backwards. 


LFP.  The  rule  for  (yX(x).p){tf)  creates  a  fresh  predicate  name  X  for  the  predicate  defined  by  the  fixed-point 
and  stores  its  definition  as  the  equation  X  =P  Xx.p  in  £.  The  equation  is  looked  up  in  the  rule  X2  for 
checking  X  t.  In  the  third  premise  of  that  rule,  the  fact  that  X  t.  has  been  encountered  on  the  branch  is 
recorded  in  A.  This  ensures  that  if  X  t  is  encountered  again,  then  the  branch  closes  (rule  XI).  Winskel  [34] 
proved  that  admitting  cycles  for  greatest-fixed  points  in  this  manner  is  sound  in  the  propositional  case.  Our 
soundness  theorem  (Theorem  5.2)  extends  that  result  to  the  first-order  case. 

Theorem  5.2  (Soundness  of  tableau).  If  0",  tp  has  a  successful  tableau,  then  •;a  \=  p. 

Proof.  See  Appendix  C,  Theorem  C.5.  □ 

An  important  practical  consideration  in  any  model  checking  procedure  for  first-order  logic  is  treatment 
of  quantifiers.  The  rules  for  quantifiers  in  Figure  5  require  guessing  a  correct  substitution  for  an  existentially 
bound  variable  and  iterating  over  all  elements  of  the  domain  of  interpretation,  D,  for  a  universally  bound 
variable,  both  of  which  may  be  impossible  if  D  is  infinite.  In  practice,  the  problem  can  be  addressed  by 
assuming  that  all  quantifiers  are  guarded  by  formulas  that  restrict  the  relevant  substitutions  for  the  bound 
variables  to  finite  sets,  as  in  guarded  first-order  logic  [5]. 

We  illustrate  the  use  of  model-checking  in  auditing  traces  for  violations  of  privacy-related  responsibilities 
from  the  Example  of  Figure  2,  which  does  not  include  fixed-points.  Readers  should  bear  in  mind  that  even 
though  this  example  does  not  use  fixed-points,  their  treatment,  especially  that  of  greatest  fixed-points,  is 
the  technically  challenging  part  of  the  method. 

Suppose  that  E  and  Q  are  principals  (whose  details  are  irrelevant  to  this  example)  and  M  is  a  message 
which  contains  some  information  about  attribute  T  of  Q.  Consider  a  trace  cr  with  just  two  states  cr  =  SoSi; 
and  each  of  the  two  states  containing  exactly  one  message  transmission  as  follows: 

s0  D^Q  :  f.dis(P,E,Q,T ) 

Si  D  — )•  SR  :  fsent-dis(E,Q,T) 

In  state  So  the  disclosure  department  D  informs  principal  Q  that  its  information  about  attribute  T  may 
be  sent  to  E  by  P.  In  the  next  state  si,  D  informs  SR  about  this  disclosure.  We  are  interested  in  check¬ 
ing  whether  D  has  violated  its  responsibility  ipr>  from  Figure  2.  In  this  example  it  hasn’t.  To  check  that 
this  is  the  case,  we  must  construct  a  tableau  for  cr;  •;  •  bG  Vp' ,m,q,t.  (send(Z),  SR,  f_sent-dis(p' ,q,t))  D 
<9>hlsend(D,  q,  f-dis(P,p',  q ,  t))).  Expanding  the  syntax  into  LFP  through  the  embedding  of  Section  2.3,  we 
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must  check  that  <r;*;*  h  \/s,p' ,m,  q,t.  (^send(s,  D,  SR,  f  sent-dis(p' ,  q,t)))  V  3s'.  ((s'  <st  s)  A 
hlsend(s',  D,  q,  f_dis(P, p',  q,t))).  Using  rule  V  from  Figure  5,  we  must  check  for  every  s,  p' ,  m ,  q,  f  that 
cr;  •;  •  h  (-isend(s,  D,  SR,  f  sent-dis(p' ,  q,t)))  V  3s'.  ((s'  <st  s )  A  hlsend(s/,  P,  q,  f-dis(P,p',  q,  t))).  For 
(s,p' ,m,q,t)  ^  (suE,M,Q,T),  the  branch  -isend (s,  D ,  SR,  f  sent_dis(p' ,q,t))  succeeds  by  Vl  and  INIT. 
Hence,  it  only  remains  to  check  that  a;  •  ;  •  b  3s'.  ((s'  <st  Si)  A  hlsend(s',  D,  Q,  f_dis(P,  E,  Q,  T))).  Choosing 
s'  =  So  in  rule  3,  this  reduces  to  cr;*;*  b  (so  <st  si)  A  hlsend(so,  D,  Q,  f_dis(P,  E,  Q,  T)).  The  conjunct 
so  <st  si  succeeds  by  definition  of  the  trace,  so  we  must  show  only  that  cr;  •;  •  b  hlsend(so,  D,  Q,  f  _dis(P,  E,  Q,  T)), 
which  succeeds  immediately  by  rule  INIT. 

6  Related  Work 

The  core  logic  used  for  the  technical  work  in  this  paper  is  the  least-fixed  point  logic  (LFP)  [13,  28].  However, 
the  proof-theory  for  fixed-points  presented  in  Section  5.1  is  based  on  an  unrelated  source  -  the  intuitionistic 
logic  /iLJ  -  that  has  been  used  in  the  past  as  a  logical  framework  for  specifying  and  reasoning  about  formal 
systems  [8,  17].  Besides  adapting  that  work  to  our  classical  setting,  we  also  prove  the  proof-system  sound  with 
respect  to  trace  semantics.  Our  model-checking  method  (Section  5.2)  is  a  first-order  extension  of  prior  work 
on  model-checking  the  propositional  modal  /x-calculus  [24,  30,  34],  most  notably  the  work  of  Winskel  [34]. 

Privacy  languages  such  as  EPAL  [6,  7]  and  XACML  [4]  are  formulated  as  access  control  frameworks. 
EPAL  and  XACML  do  not  possess  first-class  temporal  modalities,  but  have  a  much  weaker  uninterpreted 
obligation  symbol  for  representing  future  requirements.  Our  logic  has  its  rich  temporal  and  obligation 
constructs  and  is,  therefore,  more  expressive  than  EPAL  and  XACML.  P3P  [1,  15,  29]  is  a  privacy  language 
targeted  exclusively  to  web  sites,  but  due  to  its  domain-specific  design  it  is  unsuited  for  expressing  privacy 
policies  based  on  laws  like  HIPAA  and  GLBA.  RBAC  languages  focus  on  access  control  [18,  23,  25]  but  lack 
a  notion  of  data  attribute  as  well  as  temporal  modalities  needed  to  express  privacy  policies. 

Choosing  deontic  logic,  rather  than  temporal  logic,  as  a  foundation,  Dinesh  et  al.  have  developed  a 
logic  for  reasoning  about  conditions  and  exceptions  in  privacy  laws  [21].  The  approach  of  Dinesh  et  al.  is 
advantageous  in  that  it  simplifies  the  task  of  formalizing  the  law  clause  by  clause:  there  is  no  need  to  modify 
previously  formalized  clauses  if  exceptions  appear  in  later  paragraphs.  Further  investigation  is  needed  to 
determine  whether  their  ideas  can  be  adapted  to  our  logic. 

7  Conclusion 

We  presented  the  logic  PrivacyLFP  and  used  it  to  express  role-based  responsibilities  of  agents  in  organi¬ 
zational  processes.  We  presented  a  semantic  locality  criterion  to  characterize  “reasonable”  responsibilities 
that  agents  (or  groups  of  agents)  have  a  strategy  to  discharge,  and  easily  checkable,  sound  syntactic  charac¬ 
terizations  of  responsibilities  that  meet  this  criterion.  We  develop  policy  enforcement  techniques  based  on 
a  sound  proof  system  and  an  auditing  procedure  for  PrivacyLFP  based  on  a  tableau-based  model  checking 
algorithm  we  develop.  We  illustrated  these  enforcement  techniques  using  a  representative  example  of  an 
organizational  process.  In  future  work,  we  plan  to  apply  these  techniques  to  larger  organizational  processes, 
formalize  other  privacy  regulations,  and  develop  tool  support  for  policy  enforcement. 
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A  Basic  Theory  of  LFP 


We  develop  some  preliminary  theory  of  LFP’s  semantics.  Our  proofs  of  soundness  of  proof-theory  and  model 
checking  (Section  5)  rely  on  this  theory. 

Lemma  A.l  (Term  substitution).  The  following  hold: 


1.  9,9';T  |=  ip  if  and  only  if  9')I  |=  ip9 

2- 


Proof.  First  observe  that  since  [t]0,0  must  be  homomorphic  in  the  structure  of  terms,  \  t0\°  =  [t]0,0  .  The 
proof  of  both  statements  then  follows  by  lexicographic  induction,  first  on  ip  and  then  on  (1)  <  (2).  □ 


Lemma  A. 2  (Variable  substitution).  Let  ip  be  a  formula,  possibly  containing  the  distinguished  variables  x, 
and  let  X  be  a  predicate  variable  of  arity  \x\.  Then, 

1.  9)1  (=  ip{(\x.(p)/X}  if  and  only  if  9;T,  X  H »  {d  \  9,  x  H >  d;T  |=  ip}  \=  if. 


2.  Xx.ip)/X})  =  F 


•Y,y 


a.W- 


(I ,X^{d  |  9,x^d-,I\=ip}),9’ 

Proof.  The  proof  of  both  statements  follows  by  lexicographic  induction,  first  on  if  and  then  on  (1)  <  (2).  □ 


A.l  Fixed-point  Unrolling 

We  prove  some  results  about  unrolling  of  fixed-points. 

Lemma  A. 3  (Unrolling  lemma).  The  following  hold: 

1.  9)1  |=  (pX(x).  :p)  t  if  and  only  if9,x^  [F]0;I  | =  ip{(pX(x).  ip)/X} 

2.  9)1  |=  [yX(x).  ip)  t  if  and  only  if  9,x  [Fj0;Z  |=  <p{(vX(x).  ip)/X} 

Proof.  We  prove  (1)  below.  The  proof  of  (2)  is  identical  except  that  p  is  replaced  by  v  everywhere  (this  works 
because  the  proof  below  relies  only  on  pX(x).  ip  being  a  fixed-point,  not  on  it  being  the  least  fixed-point). 


Proof  of  (1).  We  have: 


9]1\=  (pX (x) .  ip)  t 
o  {tfepF^f{ip) 
o  (tj  °€FXf{<p)faF?f(<p)) 
o  [f]0  G  {d  |  9,  x  d)l,  X  pF*fi{ip)  \=  <p} 
o  9,x  [f]0;X, X  pF^f(ip)  |=  ip 

o  9,x  [f]0;X,  A  i-»  {[f]0  |  9)1  |=  (pX(x).  ip)t\\=ip 

o  9,x  \t\6)I,X  {[f]0  \9,x*-f  [f*]0;X  \=  {pX{x).  p)  x}  \=  p 

■n-  9,  x  i — y  [Fj0;X,  A'  i— >■  {d  \  9,x*-+  d)T  |=  (pX(x).  ip)  x}  \=  ip 

o  9,x  i- >■  [f]0;X  |=  ip{(\x.  (pX(x).  ip)  x)/X } 
o  9,x  [f]0;X  |=  ip{{pX(x).  (p)/X} 


(Defn.) 

(pFj  g  (ip)  is  a  fixed-point  of  F*'g(<p)) 
(Defn.) 

(Set-theory) 

(Defn.  of  9)1  \=  (pX(x).  ip)  t) 

(Lemma  A.l) 

(Lemma  A. 2) 

((A£.  /  x)  =  f) 


□ 
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Finite  unrolling.  Next  we  consider  finite  unrolling  of  fixed-points  and  its  semantic  interpretation.  We 
define  the  function  U(jf’*(<p),  which  unrolls  the  definition  ( X(x )  =  tp)  n  times,  using  ip  for  the  base  case 
(i(>  may  mention  contain  the  free  variables  x).  The  result  is  a  predicate  of  the  form  Xx.  ip' .  The  function 
U (pi)  is  defined  by  induction  on  n  as  follows. 

up,o  O)  =  •V’ 

=  A  2.<p{U**(<p)/X} 

Lemma  A. 4  (Finite  unrolling).  0;X  \=  (U*’*((p))  t  if  and  only  */  [[ G  (F^f  (<p))n({d  \  0,x  d;I  \=  ip}). 
Proof.  By  induction  on  n. 

Case,  n  =  0 

O 

•0 

Case,  n  =  k  +  1 


9;I 

h 

9;1 

b= 

(Xx.  p{U*f(ip)/X})  t 

(Defn. 

ofu*£+1{<p)) 

9;1 

h 

ip{t/x}{U*’*(<p)/X} 

9;1 

h 

<p{t/x}{(Xx.  (U^£(<p))  x)/X} 

(/  =  A x.(f  x)) 

9-1: 

A 

h>  {d  |  9,x  h>  d-,1  \=  U*£(<p)  x }  |=  <p{t/x} 

(Lemma  A. 2) 

9-,T. 

A 

^  {[ff  1  0\X  |=  u*£(ip)  t}  |=  (fi{t/x} 

(Lemma  A.l) 

9 ,  x 

[ff  ;X, A  ^  {{tf  |  9-1  h  U*£(p>)  t}\=p> 

(Lemma  A.l) 

9 ,  x 

!->■ 

Iff;!,  A  h-  (FXf(<p))k({d  \9,x^d-l\=  V’})  N  P 

(ih.) 

Itf 

'e 

(FX/(p>))k+'({d  |  9,x^d-l(=iP}) 

(Defn. 

of  F£f(<p)) 

0;I  h  * 

9]I  |=  ( Xx.ip )  t 
9;Z  |=  ->P{t/x} 

9,  x  i->-  [f 

m°e{d 


|  9,  x  H »  d;I  \=  ip} 


(Defn.  of  U?'*(<p)) 


[tf  £(F^x(<p))°({d\  9, x^d;l^  ip}) 


(Lemma  A.l) 
(Set-theory) 
(f°(x)  =x) 


□ 


B  Proof  System  for  LFP 

We  prove  the  proof  theory  of  LFP  sound  with  respect  to  the  semantics  of  LFP. 

Lemma  B.l  (Soundness  of  sequent  calculus).  1/  E;  P  h  A  then  for  all  interpretation  X ,  for  all  substitution 
9,  where  donr(0)  =  E,  0;X  t=  f\  T  implies  9;I  t=  \/  A 

Proof.  By  induction  on  the  structure  of  the  derivation  E;T  b  A. 

Case.  pK 

£  ::  E;T  h  ip{pX(x).ip/X}{t/x},  A 
E;  r  h  pX(x).ip  t,  A 

By  assumptions,  given  any  X,  9  where  dom(@)  =  E 
0;XNAr 
By  I.H.  on  £ 

9;  11=  ip{pX(x).<p/X}{t/x}  V\/A 
By  Lemma  A. 3 
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0;X  1=  <p{[iX(x).tp/X}{t/x}  iff  0,  x  i->-  jr]e;X  t=  /. iX(x).ip  x 
By  Lemma  A.l, 

0,x>->  [f*]e;X  t=  fiX(x).ip  x  iff  0;X  \=  /j,X(x).cp  t 
By  the  above  two, 

0;X  1=  /j,X(x).ip  tW\/A 

Case.  /zL 

£1  ■■  L,  ip{t/x}  b  A  £2  ■■■■  S,y;r,  ip{\x.ip/X}{y/x}  h  ip{y/x}  ^ 

S;L,  (tiX(x). <p)(t)  b  A  p 

By  assumptions,  given  any  X,  9  where  dom(0)  =  E 
0;  X  1=  /\  r  A  fiX(x).<p  t 
9;X\=  [iX(x).ip  t 

t  £  hS.F^'q  (<p)(S)  =  fiS.{d  |  9,  x  1— »  d;X,  X  >  S  t=  (^} 

By  Knaster- Tarski  theorem 

the  least  fixed  point  of  F  is  the  intersection  of  pre-fixed  points  of  F 

nS.F?f{<p)(S)  =  n{s  I  F*f(ip)(S)  c  5} 

By  set  theory 

fj,S.F^’ex ((p)(S)  is  a  subset  of  any  S  such  that  F^gx(ip)(S)  C  S 
Let  T  =  {d|  Xt-p-rf-Ib  ip}, 

By  Lemma  A. 2, 

gX(ip)(T)  =  {d  |  9,  x  d\ X,  X  i-»  T  t=  ip}  =  {d  \  9,  x  d\X  t=  Aaf.-i/7 / } } 

By  I.H.  on  £ 2 , 

VX',  V0'  where  dom(0')  =  E ,y 

0';X'  t=  f\  T  A  <£{Ax.^/X}{y/a:}  implies  0';X'  t=  ^{y/x} 

{d  |  0,2/  >->•  d-XN  y){Ax.^/A:}{y/x}}  C  {d  \  9,  y  ^  d\X  1=  ip{y/x}} 

By  (3)  and  (4) 

pxfivm  c  x 

By  (2) 

fiS.F^f (<p)(S)  CT  =  {d\9,x^d;X\=ip} 

By  (1)  and  (5) 

0;X  h  ip  t 
By  I.H.  on  £\ 

0;XN  V  A 

Case.  i/R 

£1  ::  E;  T  b  ip{t/x},  A  £2  ::  E,j/;T,  i/){?/f}  h  ip{Xx.ip/X}{y/x} 
- = -  zaR 

E;T  b  (i/X  (£).</?)(/),  A 

By  assumptions,  given  any  X,  9  where  dom(0)  =  E 
9;X\=  Ar 
By  I.H.  on  ^ 

0;X  h  ip{t/x}  V  V  A 

If  0; 1 1=  A  then  0;X  1=  (vX(x).<p)(£)  V  V  A 

otherwise  0;X  t=  z/j{f/x},  therefore  t  £  {d  |  9,x  >->•  d;X  t=  ip} 

By  Knaster- Tarski  theorem, 

The  greatest  fixed  point  of  F  is  the  union  of  post-fixed  points  of  F 
vS.F*f{<p)(S)  =  U{5  |  5  C  F*f{v){S)} 

By  set  theory 

vS.F^'q  (tp)(S)  is  a  superset  of  any  S  such  that  S  C  F^f(ip)(S) 

Let  T  =  {d  |  x>-¥  d\X  1=  -0} , 


(3) 


By  Lemma  A. 2, 

Fx’e^){T)  =  {d  |  9,x*->  d\I,  X  T  \=  ip}  =  {d  \  9,x  d;I\=  p{\ x.i/j/X}} 

By  I.H.  on  £2, 

VI',  V0'  where  dom(d')  =  E ,y 

9';X'  t=  ip{y/x}  implies  9'\X'  1=  /\F  A  (/?{Ax.'i/’/A'}{y/:r} 

{d  |  0,^  d;I\=  ip{y/x}}  C  {d |  d;  Jh  <p{Af.^/X}{y/f}}  (4) 

By  (3)  and  (4) 

T  C  F*f(tp)(T) 

By  (2) 

T  =  {d  |  M  djzi=  ?/>}  C  z sS.F*f{<p)(S)  (5) 

By  (1)  and  (5) 

9;X  \=  uX(x).< p  t 
9;I\=  vX(x).tp  fv  \/A 

□ 


C  Model-Checking  for  LFP 

This  appendix  proves  that  the  model-checking  tableau  for  LFP  (Section  5.2)  are  sound.  In  order  to  do  that, 
we  define  the  interpretation  lx(£,  A)  generated  from  a  list  of  equations  £  and  a  list  of  assumptions  A,  given 
an  interpretation  of  predicates  X.  The  interpretation  is  defined  by  induction  on  £ . 

d([],A)  =  • 

n{£  ::  (X^  Xx.y>),A\J{X  :  S})  =  X',  X  ^  v(XS'.  [5]*  U  F^l)a(ip)(S'))  (where  I'  =  ix(£,  A)) 

Observe  that  since  F^f m(p>)(S')  is  a  monotonic  function  of  S',  it  is  also  the  case  that  A  S'.  [5]*  U 
F(ii')  is  a  monotonic  function.  Hence,  its  greatest  fixed-point  in  the  second  clause  above  exists. 

Lemma  C.l.  Suppose  that  all  free  predicate  variables  of  ip  are  defined  in  £.  Then  9; I,  ix(£,A)  \=  tp  iff 
9-,I,tx{{£,£'),  A)\=<p 

Proof.  By  induction  on  £' .  0 

Lemma  C.2  (Reduction;  reproduced  from  [34]).  Let  f  :  2A  — >  2A  be  a  monotonic  function.  Then  S  C  vf 
if  and  only  if  S  C  f(v(XS'.  S  U  f{S'))) . 

Lemma  C.3  (Reduction  for  singletons).  Let  f  :  2A  — >  2A  be  monotonic  and  suppose  d  S  C  A.  Then, 
d£v(XS'.  SUf(S'))  if  and  only  ifd£f(v(XS'.  S  U  {d}  U  /(£")))• 

Proof.  We  have: 


d  G 

v{XS'.  SUf(S')) 

o- 

{- d } 

C  v(X S'.  SVJf(S')) 

<->• 

{d} 

C5U/KAS'.  Su{d}U/(S'))) 

(Lemma  C.2) 

d  G 

5U/MA5'.  SU{d}Uf{S'))) 

d  G 

f{v(XS'.  5  U  {d}  U  f(S'))) 

(Assumption  that  d  ^  S) 

□ 


Theorem  C.4  (Soundness).  a;£;  A  b  ip  implies  •’,Xa,  ixa  {£ ,  A)  |=  tp. 
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Proof.  We  induct  on  the  derivation  of  X;  £ ;  A  h  if,  and  case  analyze  its  last  rule. 


nrr  eMP) 

Case.  a\£\A£Pt 


INIT 


We  need  to  show  that  bx„  (£,  A)  \=  P  t.  By  definition  of  the  semantics,  it  suffices  to  show  that 
ft]*  €  Ia(P),  which  is  stated  in  the  rule’s  premise. 

itr^MP) 


Case.  <t;£;AI - fP  t) 

We  need  to  show  that  •  ;Z(T,  bxa(£,  A)  |=  -> (P  t).  By  definition  of  the  semantics,  it  suffices  to  show  that 
[f]*  ^  Ia(P),  which  is  stated  in  the  rule’s  premise. 

T 


Case,  cr;  £:  A  h  T 


We  have  to  show  that  •;2CT,  ixa  {£,  A)  |=  T,  which  always  holds  by  definition  of  the  semantics. 

cr;£;  A  h  (p±  a;£;  A  h  ip2 

Case.  cr;  £;  A  h  tpi  A  tp2 

We  need  to  show  that  •;Xcr,  bx„  {£,  A)  |=  ipi  A  <p2  or,  equivalently,  •;Xa,ixl7(£,  A)  |=  ipi  and  •;Ta,  ixa  {£,  A)  \= 
The  latter  two  follow  from  i.h.  on  the  premises. 

cr;g;  A  h  tpx 
Case,  cr;  £;  A  h  ipi  V 

We  need  to  show  that  (£,  A)  \=  ipi  V  (fi2-  By  definition  of  the  semantics,  it  suffices  to  show  that 

•  ;XCT,  txa  {£,  A)  \=  ipi,  which  follows  immediately  from  the  i.h.  applied  to  the  premise. 

a;£;  Ah  <p2 

- A -  V2 

Case,  cr;  £;  A  h  ip\  V  <£2 


Similar  to  the  previous  case. 

all  d£D.  (cr;  £;  A  b  ip{d/x}) 

- - - V 

Case.  a- £■  A  \~  \/x.ip 

We  need  to  show  that  •;X<T,  bx„  (£,  A)  |=  'ix.tp.  By  definition  of  the  semantics,  it  suffices  to  show  that  for 
any  d  £  D,  •;Xcr,  Lxa  (£,  A)  |=  ip{d/x}.  So  pick  any  dgD.  By  i.h.  on  the  premise,  •  ;Zcr,  ixa  (£,  A)  |=  (p{d/x}, 
as  required. 

d  £  D  a\£]A\-^{d/x}^ 

Case.  a\£]  A\- 3x.ip 

We  need  to  show  that  •; XCT,  Lxa  {£,  A)  |=  3 x.tp.  By  i.h.  on  the  premise,  •;X(T,  bx„  {£,  A)  |=  ip{d/x}.  By 
definition  of  semantics,  •;I<J,txa{£,A)  \=  3 x.ip,  as  required. 

cr;g;  A  h  (p{t/x}{(/J.X(x).  <p)/X} 

Case.  cr;£;Ab  (/j,X(x).  <p)  t 
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We  need  to  show  that  *;XCT,  ixCT(S,  A)  |=  (: pX{x ).  p)  t.  By  i.h.  on  the  premise  we  have  •;I(T,  ix„{£ >  A)  1= 
p{t/x}{(pX(x).  p)/X}.  Now  we  have: 

•;Xx,GrPS,  A)  |=  p{t/x}{{pX(x).  p)/X} 

O-  x*-+  lty-,la,Lx„{£,tX)  \=p{(pX(x).  p)/X}  (Lemma  A. 1) 

■n-  •;X(T,  bxa  {£,  A)  |=  (p,X(x).  p)  t  (Lemma  A. 3) 

cr;  S,  X  =>  A.  I  :  {}  h  I  t  (X  fresh) 

Case.  cr;S;  Ah  (vX(x).  p)  t 

We  need  to  show  that  •;X(T,  tx„  (£,  A)  p  pX(x).  <p  t.  Let  S'  =  £,X  =>  and  A'  =  A,  A’  :  {}•  Then, 


,n/pA')hir 

(i.h.) 

PT 

G6XPS',A')(X) 

(Defn. 

of 

pxff 

t=  ’) 

PT 

GPAS'.  {}Uif4(W),(,)(S')) 

(Defn. 

of 

GzpS 

A')  and  X  : 

{}  G  A' 

«->• 

PT 

G  PAS'.  F^liA£AI))^){S')) 

pt 

(A  x.{f 

x) 

=  /) 

■G> 

PT 

(Defined-’ 

variables(S)  C  A) 

•;Xt 

HxPS,  A)  |=  pX(x).  <p  t 

(Defn. 

of 

e-,ia 

1=  {vX(x).  p) 

t) 

[*]•€[■?]•  Y1 
Case.  cr;£;A,X  :  5h  A  f 

We  want  to  show  that  •  ;la,ixt,{£,  (A, X  :  S'))  |=  X  t  or,  equivalently,  that  [T]*  G  txPS,  (A,X  :  S))(X'). 
Since  some  definition  for  X  must  exist  in  £,  suppose  that  £  =  £i,(X  =>  \x.  p),£^-  Then,  by  defini¬ 
tion  of  tXa  we  have:  GzpS,  ( A,X  :  S))(X)  =  pA S'.  [S]*  U  F^Lx^{£i{AX:S)))^p)(S')).  Hence,  it  suf¬ 
fices  to  show  that  [<]*  G  pA S'.  [S]*  U  ^  X-S)))  .P)(S")).  To  avoid  syntactic  clutter,  define 

/  =  F^x'xLx  /£1  (a  A'-S)))  .(T  What  we  need  to  show  then  is  that:  [fj*  G  pA S'.  [SJ*  U  /(S')).  Suppose 
pAS'.  [S]*U/(S'))  =  So-  Because  So  is  a  fixed-point  of  AS'.  [  S]*U/(S'),  it  follows  that  So  =  [S]*U/(So)  A 
[SJ*.  Since,  by  the  premise  of  the  rule,  [t]*  G  [£]*,  it  follows  that  [f]*  G  So  =  pA S'.  [S]*  U  /(S')),  as 
required. 

i  t  ^  i  s  r  (x  =»  xs.p)  g  s  <t;  s;  a,  x  :  s  u  p)  h  y2 

Case.  er;  £;  A,  X  :  Sh  A' f 


Let  A' 

=  A,X 

:  S  and  let  £ 

=  Si,  (X  =>  Xx.p),  S2.  We  want  to  show  that  •;X(7, 

ixPS,A')  pxi!  We 

have: 

•;XCT 

)  tla  /P')  P  X  t 

PT 

€  ^  (S, 

A')(X) 

(Defn.  of  9;Ia  p  •) 

PT 

G  pAS'. 

[SfuFg 

ti„(£i,A')),.(‘S)(S")) 

(Defn.  of  ix„(S,  A')) 

PT 

G  pAS'. 

[SfUXjf 

tXff(£i,A)),.(<S)(S/)) 

(Defined- variables(Si)  C  A) 

PT 

g  TT 

(£!,A)),.P)( 

PAS'.  [S]*U{pT}UF(^ 

(£i,A)),«  (<S)(S/))) 

(Lemma  C.3) 

X  I  ^ 

/  Xt,  lx  a 

(Si,  A),X  i-> 

PAS'.  [S]*U  {[/]*}  Urffj 

(£l,A)),»(S'))  P'S 

(Defn.  of  F*Jxg(p)) 

X  i-> 

PT;^, 

GrP(S i,(X  =>  Xx.p)),  (A,X  :  SUp}))  p  V3 

(Defn.  of  i) 

X  i  ^ 

[T]-;Xct, 

txPS,(A,X 

:  S  u  p}))  p 

(Lemma  C.l) 

•;XCT 

,^(S,(A,X  :  SU{t}))  p  (pt/x} 

(Lemma  A.l) 

The  last  statement  follows  from  the  i.h.  So  the  first  statement  must  also  hold. 


a 
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Theorem  C.5  (Soundness).  Suppose  ip  has  no  free  term  and  predicate  variables  and  a;  •;  •  h  <p.  Then, 
•  ;cr  |=  ip. 

Proof.  Suppose  cr;  • ;  •  h  <p.  By  Theorem  C.4,  |=  ip.  By  definition  of  satisfaction  on  traces,  this  is  the 

same  as  •;  cr  |=  <p.  □ 

D  Local  Feasibility 

D.l  Formal  Definitions 

Strict  Past  Operator  We  define  a  strict  past  operator  <$>st  </>  as  follows.  Formula  <ff>st  4>  holds  in  the 
current  state  if  (j>  holds  in  some  state  that  is  strictly  earlier  than  the  current  state. 

=  3s'.  (s'  <st  s)  A  cf>@s' 

Trace  Operations  Given  /  and  g ,  both  of  which  are  mappings  from  domain  D\  to  D2,  we  define  f  U  g  as 
follows: 


(  f(d)  U  3(d)  if  d  £  dom(/)  n  dom(g) 

(/  U  g)(d)  =  <  /(d)  if  d  £  dom(/)  and  d  ^  dom(g) 

[5(d)  if  d  dom(/)  and  d  £  dom(g) 

Given  /  and  g ,  both  of  which  are  mappings  from  domain  D\  to  D2,  we  define  /  U  g  as  follows: 

(  f(d)  U  3(d)  if  d  £  dom(/)  n  dom(g)  and  /(d)  =  g{d) 

(/  U  g)(d)  =  <  /(d)  if  d  £  dom(/)  and  d  ^  dom(^) 

[  g(d)  if  d  ^  dom(/)  and  d  £  dom(g) 

Given  /  and  g ,  both  of  which  are  mappings  from  domain  Di  to  mappings  from  D2  to  D3,  we  define  /  ILU  g 

as  follows: 


f  /(d)  U  g(d)  if  d  £  dom(/)  fi  dom(3) 

(/  ILU  g)(d)  =  <  /(d)  if  d  £  dom (/)  and  d  ^  dom(^) 

[3(d)  if  d  ^  dom(/)  and  d  £  dom(g) 

Given  /  and  g,  both  of  which  are  mappings  from  domain  Di  to  mappings  from  D2  to  D3,  we  define  /  IJJJ  <7 
as  follows: 

(  f(d)  U  g(d)  if  d  £  dom(/)  fl  dom(g) 

(/  ^  d)(d)  =  <  /(d)  if  d  £  dom(/)  and  d  ^  dom(g) 

[3(d)  if  d  ^  dom(/)  and  d  £  dom(3) 

°i  =  (Ki;pf)pf,ai,-.ai,ri,ii),  a2  =  (k2,  pf,  P2  ,  a2,  ^a2,  r2,  l2). 

a\  t±)  d2  =  («i  ILU  k2,Pi  ILU  p2  ,  pf  W  pf ,  a\  U  a2,  ~^a\  U  ->a2,  n  U  r2,  ti  U  t2) 

We  say  a  mapping  /  from  domain  DI  to  D2  is  an  extension  of  g  (/  D  3),  if  Vd  £  dom(3),  3(d)  C  /(d). 
We  say  a  mapping  //  from  domain  DI  to  a  mapping  from  D 2  to  D3  is  an  extension  of  33,  if  Vd  £  dom(gg), 
gg{d)  C  //(d). 

We  say  a  trace  t?  is  an  extension  of  a1,  written  a  3  S',  if  any  mapping  /  in  cr  is  the  extension  of  the 
corresponding  mapping  /'  in  a' . 

We  write  a  \£=  0  to  mean  that  p  is  the  performer  of  any  of  the  actions  in  the  range  of  function  a. 

We  assume  that  each  agent  has  some  default  knowledge.  We  write  kp  to  denote  a  knowledge  map  where 
np(i)(p)  is  p’s  default  knowledge,  for  each  i  in  the  domain  of  kp. 
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Feasibility  Our  definitions  for  feasibility  rely  on  a  recursively  defined  function  ( GF(j ,  <3>,  Sa))  to  generate 
conditions  that  need  to  be  satisfied  at  each  state  in  an  infinite  run  of  the  system  (Figure  6).  Each  GF(j ,  <E>,  Sa) 
contains  a  hole  ([  ]).We  write  GF{j ,  d>,  S,a)[i?]^  to  denote  the  predicate  generated  by  unfolding  the  definition 
of  GF  and  plug  R  in  the  hole.  The  variables  annotated  in  the  subscripts  of  the  hold  appear  free  in  R,  and 
are  bound  by  quantifiers  on  the  outer  layers. 

Ultimately,  we  care  about  GF(j,  <3?,  Sa) [true]. 


H (ct,  i,  Sa,  to)  =  (<7|i_i=  0)  A  (<r|i=  a)  A  start(r)  =  to  A  Mp  £  Sa,  (ct| =  0)  A  Mp  £  Sa,  n  D  kp 
F(S,  i,  Sa,  to)  =  VP  £  range(a),  3 p  £  Sa  such  that  p  is  the  performer  of  P 
VP  £  range(-ia),  3 p  £  Sa  such  that  p  is  the  performer  of  P 
Vfc  £  dom(<7),  k  >  i,  start(r)  =  to 

GF(0,  <f>,  Sa)  =  MSo,H(So,0,Sa,TO(0))D 

3?®“,  P(ctq a ,  0,  Sa,  ro(0)  A  So  ttl  So  a  is  well-defined 
MS' ,  ct'  |o=  0  A  a'  W  no  W  a0s“  is  well-defined  D 
V  G  ipi  £  Tr(S'  W  cto  W  CTq “),  0  1=  ipi 


GF(j,  Sa)  = 

GF(j  -  1,  <f>,  Sa)\MSj,  H(Sj,j,  Sa,  r0(0))  D 


(35*“,  F(Sj,  j,  Sa,  to(0)  A  l+J^.=0  St  ttl  ct£“  is  well-defined 
MS' ,  S'  |j=  0  A  S'  t±)  l+j{=0  CTfc  ttl  Si°  is  well-defined  D 
V  G  pi  £  $,  Tri^S'  ttl  l+)Jfe=0  CTfc  ttl  ofa),  j  1=  pi 

]so,“o.~'ao,'ro,-"33-i  — 


Figure  6:  Feasibility 


Def.  A  set  of  responsibilities  $  is  feasible  for  a  set  of  agents  Sa  if  for  all  j  iff  GF(j,  <3>,  Sa)[true]. 

D.2  Lemmas  and  Definitions  for  Proving  Local  Feasibility  Theorems 

D.2.1  Locality 

Def.  Observable  We  say  that  <p  is  observable  to  an  agent  p  is  all  the  atomic  formulas  in  ip  describe  states 
or  events  observable  to  p.  We  write  p  b  ip  Obs  to  mean  that  <p  describes  states  and  events  that  are  observable 
by  p.  Figure  7  shows  the  summary  of  rules. 

Theorem  D.l.  If  p  h  <p  Obs,  then  ip  is  local  to  agent  p. 

Proof  (sketch):  By  induction  on  the  structure  of  the  derivation  p\~  ip  Obs.  □ 

D.2. 2  Lemmas  and  Definitions  Related  to  Past  Formulas 

We  define  ppast  to  be  temporal  formulas  that  do  not  contain  future  operators.  We  prove  the  following  lemma, 
which  states  that  given  any  state  i,  ppast  does  not  concern  any  states  that  is  later  than  i. 

Lemma  D.2  (Invariant  of  Past  Formula  (prefix)).  For  all  j  >  i,  a,  i  1=  ppast  iff  a\  jU  Fpast 

Proof  (sketch):  By  induction  on  the  structure  of  <ppast ■  We  show  a  few  key  cases  below. 
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p  b  p  Obs 


P  is  observable  to  p 

p  b  1  Obs  p  h  T  Obs  p  b  P  Obs 

p  b  tpi  Obs  p  b  <p>2  Obs  p  b  p  Obs  p  b  p  Obs 


p  b  p\  V  ip>2  Obs  p  b  3x.p  Obs  p  b  \/x.p  Obs 

p  b  p  Obs  p  b  p  Obs  p  b  p\  Obs  p  b  (fi2  Obs 


P  b^>st  P  Obs  p  b  □</?  Obs  p  b  pi  S  p2  Obs 

p  b  <pi  Obs  p  b  p2  Obs 
p\-  PiU  ifi2  Obs 


pbipi  Obs  p  b  p2  Obs 


p  b  pi  A  ifi2  Obs 


p  b  p  Obs 


p  b  p  Obs 


p  b  p  Obs 


p  I — up  Obs  p  b  <~>p  Obs 


p  b  p  Obs 


p  b  <y<p  Obs  p  b  \Z\p  Obs 


Figure  7:  Observable  Formulas 


Case  p>past  —  -P(t) 

The  validity  of  the  atomic  predicate  P(t ), 
depending  on  the  following  functions  a(i),  n{i),  p(i)  and  t{i), 
When  j  >  i,  the  projection  does  not  affect  those  mappings. 
Therefore,  the  conclusion  holds. 

Case  Ppast  —  Ppastl 

The  if  direction 
By  assumption, 

2  b  'Ppastl 
(J,  i  Ppastl 

By  I.H.  on  ppasn , 

(j\j  Ppastl 
b  —'Ppastl 

The  only  if  direction 
By  assumption, 

b  —'Ppastl 
&  \j  ,  ^  b  Ppastl 

By  I.H.  on  ppast\, 

(J,  i  b  Ppastl 
<b  i  b  —'Ppastl 


Case  Ppast  —  n  Ppastl 

The  if  direction 
By  assumption, 

U,  i  b  \E\Ppastl 

By  the  definition  of  b,  for  all  k  <  i, 

(7,  b  Ppastl 

k  <  i  <  j 
By  I.H.  on  ppast l, 

&  \j  5  k  b  Ppastl 

By  the  definition  of  b, 

&  \  jii  b  0  Ppastl 

The  only  if  direction 
By  assumption, 

&  \j  ,  i  b  \E\Ppastl 

By  the  definition  of  b,  for  all  k  <  i, 
&  |  j  ,  k  b  Ppastl 

k  <  i  <  j 
By  I.H.  on  ppasti , 

(7,  b  Ppastl 

By  the  definition  of  b, 

<7,  i  b  \E\Ppastl 


□ 


Def.  We  write  pp  to  denote  persistent  past  formulas,  which  are  formulas  that  are  true  in  all  future  state  of 
i  once  it  becomes  true  in  state  i.  It  is  defined  as  follows.  We  use  two  auxiliary  definitions  Pp,  which  denotes 
atomic  predicates  that  are  true  in  all  states;  and  Psp ,  which  denotes  all  other  predicates. 


Persistent  Form 

Pp  :: 

Persistent  Effect  Form 

Psp  ■ 

Persistent  Past  Form 

Pp  ■■ 

Lemma  D.3  (Persistent 

Past). 

contains(?n,  •  •  • )  |  •  •  • 

Ap  |  inrole(p,  r)  | 

T  \  PP  \  pp  A  pp  \  ppV  pp 

Pp  |  st  Pp  I  Pp  S  Ppast 


|  \/x.pp  |  Bx.pp  |  <3>-PSp  |  O  st  Psp 
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a,  i  t=  ipp  implies  a,i  b  \3<pp 

Proof  (sketch):  By  induction  on  the  structure  of  ipp  □ 

Judgment  x  b  ip  fin  holds  on  a  past  formula  ip  if  variables  x  are  free  in  formula  ip,  and  given  any  state 
on  a  trace,  there  is  only  finite  number  of  substitutions  S  for  x  such  that  Sip  is  valid  in  that  state.  We  define 
rules  for  this  judgment  in  Figure  8. 


x  h  ip  fin 


fv(t)  D  x  and  for  all  a,  for  all  i,  the  set  of  grounding  substitutions  A  for  fv(t) 
such  that  for  all  <5  €  A,  a,  i  t=  6(P  x)  is  finite 
x  b  P  t  fin 

X\  b  ip i  fin  x2  b  ip2  fin  x  =  Xi  U  x2  xh^ifin  ih  ip2  fin  x,y\~ipf\n  x  ip  fin 

x  b  ip i  A  ip2  fin  x  b  ip\  V  ip2  fin  xh  3 y.ip  fin  x  b  <ff>tp  fin 

x\-ipi'm  x\-ip2Y\n  b  ipi  past  x\-ip\\n 

x  b  \3p  fin  x  b  ip i  S  ip2  fin  xb^>stiy9fin 

Figure  8:  Judgment  for  Past  Formulas  with  Finite  Substitutions 

Lemma  D.4  (Finite  Substitution).  If  x  b  ip  fin,  then  for  all  a,  for  all  i,  the  set  of  all  grounding  substitutions 
6  for  x,  such  that  a,i\=  Sip  is  finite. 

Proof  (sketch):  By  induction  on  the  derivation  ib  ip  fin.  □ 

Def.  Strict  Past  In  order  for  the  actions  from  different  agents  to  compose  nicely,  we  need  to  make  sure 
that  an  agent  p’s  plan  is  not  affected  by  the  changes  in  the  current  state  caused  by  another  b.  Otherwise,  we 
would  not  be  able  to  achieve  a  stable  system.  We  define  a  syntactic  check  on  a  past  formula  p  b  ip  StrictPast. 
The  definitions  are  in  Figure  9. 


p  b  tp  StrictPast 


P  =  Ap  or  P  depends  on  the  default  knowledge  of  p 

p  b  1  StrictPast  pbT  StrictPast  p  b  P  StrictPast 

p  b  pi  StrictPast  p  b  ip2  StrictPast  p  b  tp\  StrictPast  p  b  p2  StrictPast  p  b  tp  StrictPast 

p  b  pi  A  tp2  StrictPast  p  b  <pi  V  p2  StrictPast  p  b  3x.p  StrictPast 

p  b  ip  StrictPast  p  b  tp  StrictPast  phip  StrictPast  ip  is  a  past  formula 

p  b  Mx.p  StrictPast  p  I — up  StrictPast  p  b  <§><p  StrictPast  p  b <$>st  ip  StrictPast 

p  b  ip  StrictPast  p  b  ipi  StrictPast  p  b  ip2  StrictPast 

p  b  E }tp  StrictPast  p  b  ip i  S  ip2  StrictPast 

Figure  9:  Strictly  Past 
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Lemma  D.5  (Invariant  of  Strictly  Past  Formula). 

If  ph  (p  StrictPast,  given  any  a  and  a' ,  such  that 


1.  kAkp  and  k!  £>  np 

2.  p  is  not  the  performer  of  any  of  the  actions  in  the  range  of  a! , 

3.  o'  U_i=  0 

4-  <7  W  <j'  is  well-defined 

then  cr,  i  t=  ip  iff  a  l±)  a' ,  *  t=  ip . 

Proof  (sketch):  By  induction  on  the  structure  of  a  b  ip  StrictPast.  We  show  a  few  key  cases  below. 

Case:  tp  =  P(t). 

If  direction 

By  assumption, 
cr,i\=  P(t) 

P{t)  =  Ap  £  a(  i),  or  P(f)  is  justified  by  np 
the  above  conditions  still  hold  for  cr  l±)  a' 
therefore,  a  W  a',  i  t=  P(t) 

Only  if  direction 
By  assumption, 

a  O  cr',  i  \=  P(t) 

P(t)  =  Ap  £  «(*)Ua'(j),  or  P(t)  is  justified  by  kp 
By  assumption,  p  is  not  the  performer  of  any  actions  in  a' (i) 

P(t)  <E  a(i),  or  P(t)  is  justified  by  np 
therefore,  a,i\=  P(t) 


p  is  a  past  formula 

Case:  p  P<$>st  P  StrictPast 
By  assumption, 

r=0  (1) 

By  (1)  and  the  definition  of  projection, 

Vk  <  i,a\k=  (crycr')lfc  (2) 

By  Lemma  D.2, 

a  |fc,  k  \=  ip  iff  <r,  k  \=  ip  (3) 

By  Lemma  D.2, 

cr  t±J  cr'  | k,  k  1=  ip  iff  cr  l±l  a',  k  1=  ip  (4) 

By  (2), (3)  and  (4), 

a,  k  \=  ip  i&  cr  &  a' ,  k  \=  ip  (5) 

By  (5), 

!=<8>st  P  iff  crttlcr',*  ip  (6) 


□ 

Def.  Judgment  {Pl,  •  •  •  ,  P„}  h  ippast  holds  when  the  validity  of  predicates  Pi  to  Pn  in  a  state  i  are  irrelevant 
to  the  validity  of  ippast  in  that  state.  It  is  defined  in  Figure  10. 

Lemma  D.6  (Invariant  of  Past  Formulas). 

If  SP  h  ip,  given  a,  o’  such  that 

1.  a'  |i_i=  0, 

2.  j  >  i,  for  all  P  £  a'{j),  exists  P'  £  SP  and  S  such  that  SP  =  SP' , 

3.  cr  l±)  cr'  is  well-defined 
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{Pi,--  -  ,  P„}  b  ip 


$6  st.  SPi  =  SAp 

SP  b  T  SP  hi  {Pi,--  -  ,P„}  b  Ap 


SPhtp 


SP  b  ip  i  SP  b 


<SP  b  95 1  SP  b  P2 
SP  b  ipi  V  P2 


SP  b  P  SP  b  ^ 


SP  b  SP  b  Vx.y? 


SP  b 

SPbv> 

SPb^cp 


■V 


SPb<^ 

SPb 


SP  b  (^i  A  v?2 

ip  is  a  past  formula 


SP  b<0>st  C/3 


SP  b  93 1  SP  b  <^2 

SP  b  ip  1  S  p>2 


Figure  10:  Irrelevant  Past 


then  cr,  i  t=  <p  iff  cr  l±)  ct7 ,i  t=  ip. 

Proof  (sketch):  By  induction  on  the  structure  of  the  derivation  SP  b  ip. 

Case:  <p  =  Ap. 

If  direction 

By  assumption, 

CT,  i  t=  Ap 
Ap  £  a(i) 

Ap  £  a(i )  U  a'(«) 
therefore,  ct  tt)  cr7,  i  t=  Ap 
Only  if  direction 
By  assumption, 

aHI  a',i  1=  Ap 
Ap  £  a(i)  U  a'(i) 

By  assumption, 

Ap  i  a'(i) 

Ap  £  a(i) 

therefore,  cr,  *  t=  Ap 


tp  is  a  past  formula 

Case:  SP  b  <$>st  <p 

By  assumption, 

a'\i- r=0  (1) 

By  (1)  and  the  definition  of  projection, 

Vfc  <  i,a\k=  (crOcr')|fc  (2) 

By  Lemma  D.2, 

ct  |fc,  k  1=  p  iff  ct,  k  t=  <p  (3) 

By  Lemma  D.2, 

cr  W  ct7  |fc,  fc  1=  93  iff  cr  l±l  ct7,  fc  1=  (4) 

By  (2), (3)  and  (4), 

ct,  A;  1=  iff  ct  W  ct7,  fc  1=  p  (5) 

By  (5), 

b^>st  yr  iff  crttlcr',*  b<$>st  p  (6) 


□ 
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£;  r  b  sat 


well-formed  constraints  on  time  points 


E;  F  b  -nAp  sat 
E;  r  h  ( p )  sat 


E;  r  h  T  sat  E;rh_Lsat  E;rbApsat 

£;T  b  (f'fiip)  sat  £;T  b  <py2(p)  sat  E;T  b  <py(p)  sat 

£;T  b  <p}i(p)  A  <py2(p)  sat  £;T  b  <pj(p)  V  ip  sat  £;T  b  3x.Kp(x)  A  <py  (p)  sat 

E;  F  b  ipj (p)  sat  x\  ■  b  <py  (p)  sat  E,  y,  x;  T,  y  <  x  b  py(p)  sat  E;T  h  <py  (p)  sat 


£;  F  b  Mx.p f  (p)  sat  •;  •  b  |x.<py  (p)  sat  S,  y;  T  b  |a ;.<py  (p)  sat  E;T  b  <0>lP*f(p)  sat 

E;T  b  <Pf(p)  sat  E;T  b  py-j^p)  sat  E;T  b  (py2(p)  sat 

E; T  b  \3<p*f{p)  sat  E;  T  b  p*fl(p)U  p}2(p)  sat 

E,  y,  x;F,y  <  x,  c(x)  b  <py  (p)  sat  E,  y\ T  b  3  x.y  <  x  A  c(x) 

E,  y;  r  b  0>|x.  c(x )  A  <py  (p)  sat 

E,  y;  T  b  p*fi(p)  sat  E,  y,  x;  T,  y  <  x,  c(x)  b  <py2(p)  sat  E,  y;  T  b  3x.y  <  x  A  c(x) 

S,  y;  T  b  ip*fl  U  (|a;.  c(x)  A  p}2(p)) 

Figure  11:  Rules  for  Checking  Conditions  for  Time  Points 


D.2.3  Lemmas  and  Definitions  for  <pc  and  py 

Satisfiability  of  Constraints  on  Time  Points  Formulas  such  as  tpj  (p)  and  py  (p)  can  be  used  to  encode 
an  agent  p’s  obligations.  One  can  use  the  freeze  operator  to  express  a  time  bound  on  when  p  has  to  finish  his 
obligation.  For  such  obligations  to  be  feasible  for  p,  constraints  expressing  these  bounds  should  be  satisfiable. 
Judgment  £;F  b  ^  sat  states  that  all  the  constraints  on  time  points  in  py  are  satisfiable.  E  contain  all 
the  free  time  variables  in  py  and  T ;  and  F  is  the  context  containing  assumptions  about  various  time  points. 
The  rules  are  shown  in  Figure  11. 

Lemma  D.7  (Substitution  for  Conditions). 

If  E;  r  b  py  (p)  sat  ,  and  dom(<5)  n  E  =  0,  then  S;  F  b  (Jpy(p))  sat 

Proof  (sketch):  By  induction  on  the  derivation  E;T  b  py(p).  □ 

Lemma  D.8  (Time  Points  Substitution  for  Conditions). 

If  T,i,T,2;T  b  py(p)  sat  ,  and  dom(J)  =  Ei,  then  £2;<5F  b  (Jpy(p))  sat 

Proof  (sketch):  By  induction  on  the  derivation  E1;  S2;  T  b  py(p).  □ 

Relevant  Actions  in  p~  and  py  To  precisely  state  what  kind  of  actions  and  inaction  an  agent  p  need 
to  plan  for  to  fulfill  her  responsibilities,  we  define  a  function  Ac(p~  (p))  to  extract  relevant  actions  in  p~(p), 
and  Af(p*f(p))  to  extract  relevant  actions  in  py(p).  Detailed  rules  are  defined  in  Figure  12. 

Lemma  D.9  (Substitution  for  Actions). 

1.  Ac{<p-(p){t/x})  =  (. Ac(ip-(p))){t/x } 

2.  Ac(p*f{p){t/x})  =  (Ac(<p*f(p))){t/x} 
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Ac(ipc ) 


the  set  of  inactions  involved  in  causing  (pc  to  be  false. 


AC(AP)  =  {Ap} 


Ac(<pcl  V  <pc2)  =  Ac(<pcl)  uAc(pc2)  Ac(ipc  A  v?)  =  Ac(ipc ) 

Ac(3x.p~)  =  Ac{{a/x}ipc)  a  is  fresh 


Af  the  set  of  actions  (inactions)  involved  in  causing  ip*j,  to  be  true. 


Af(Ap)  =  {A*}  Af^Ap)  =  {Ap}  V  <p)  =  Afiv))  Af(<p*fl  A  p)2)  =  Af{<p*fl)  U  Af(<p*f2) 

Af(Uop  ip*f)  =  Af((p*f)  Af(3x.ipf)  =  Af({a/x}<Pf)  a  is  fresh  Af(<Pf)  =  0  for  all  other  cases 


Figure  12:  Function  for  Extracting  Actions 


d,i^  ^Pc 


a,i  lb  _L 

always 

a,  i  lb  Ap 

iff 

Av  £  -i a(i) 

(T,  *  lb  tfic  A  ^ 

iff 

a,iP^Pc 

CT,  UP  V  p~2 

iff 

a,i  lb  and  a,i  lb  ip~2 

tx,  i  lb  3 x.ip~ 

iff 

for  all  t,a,i  lb  {t/x}(p~ 

a,  i  lb  ipj 


a,i  lb  T 

always 

a,  i  lb  _L 

never 

a,  i  lb  Ap 

iff 

Ap  £  a{i) 

a,i  lb 

iff 

Ap  £  -^a(i) 

<?,  i  lb  iff  V 

iff 

a,  i  lb  tp*j 

a,  i  lb  3x.Kp(x)  A 

iff 

exists  t  such  that  a,i  lb  {t/x}ip~f 
and  Tr(a),i  1=  Kp(t ) 

a,  i  lb  \/x.<pJ 

iff 

forall,t  a,i  lb  {t/x}ipj 

a,  i  lb  |a i.tpj 

iff 

v,i  lb  {r(i)/x}pj 

a,i  lb  OV’/ 

iff 

exists  j  such  that  j  >  i  and  a,j  lb  ip ^ 

a,  i  lb  □  >p*f 

iff 

for  all  j  such  that  j  >  i  and  a,j  lb  (p*j 

<r,i  lb  P*fiU  ip*f2 

iff 

existsj,  j  >  iand  a,j  lb  ip*^2  and  Vi  >  k  <  j,  a,k  lb  ip*^ 

a,i  lb  c(t)  A 

iff 

a,i  lb  (p~jt and  Tr(a),i  \=  c(t ) 

<r,  i  lb  Vx.ipJ 

iff 

for  all,  t  a,i  lb  {t/x}pj 

Figure  13:  Non-standard  Semantics  for  Planned  Traces 


Semantics  for  Planned  Traces  Because  the  conjunction  in  <pc  and  the  disjunction  in  <p*j  allows  arbitrary 
formula  as  one  of  the  subformulas,  we  define  a  non-standard  semantics  (Figure  13). 

Lemma  D.10  (Soundness  of  Planned  trace  semantics). 

•  if  a  lb  ip*p  and  wf(a),  then  Tr(a )  1= 

•  if  a  IP  tp~ ,  and  wf(a),  then  Tr(a)  P  <p~ 
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Proof.  By  induction  on  the  structure  of  the  formula. 


□ 


We  further  define  non-standard  semantics  for  the  three  main  forms  of  responsibilities. 

a,i  lb  Vx.pf  D  ifipast  iff  for  all  t  for  x,  either  a,  US  pf{t/x}  or  Tr(a),i  I =  ppast{t/x } 

a,i  lb  Vx-Ppast  3  p^  iff  for  all  t  for  x,  such  that  Tr(a),i  1=  ppast{t/x}  implies  a,i  lb  p^{t/x} 

a,i  lb  \/x.ppast  3  pf  iff  for  all  t  for  x,a,i  lb  pj{t,/x} 

Lemma  D.ll  (Soundness  of  non-standard  Semantics),  if  a  lb  pi  as  defined  above  then  Tr(a)  I =  pi 
Proof.  By  Lemma  D.10.  □ 

Key  Lemmas  About  ip~  and  p} 

Lemma  D.12  (Monotonicity  of  pf). 

Given  any  a,  i  and  a'  such  that  a  l±)  a'  is  well-defined  and  a,  i  lb  pf  ( p )  implies  a  l±)  o' ,  i  lb  p~  (p) 

Proof  (sketch):  By  induction  on  the  structure  of  p~ .  O 

Lemma  D.13  (Feasibility  of  p~{p)). 

For  all  i,  there  exists  a  set  of  inactions  NAS  such  that 

I.  p  is  the  performer  of  all  actions  in  NAS , 

II.  for  all  P{s)  £  NAS  there  exists  a  P(w)  £  Ac{pf{p))  such  that  there  exists  a  substitution  5,  and 
P(8(a)  =  P(5(w)). 

III.  for  all  a,  —> a(i)  2  NAS,  o,i  lb  p~ 

Proof.  By  induction  on  the  structure  of  p ~ . 

Case  <p~  =  _L 

NAS  =  {} 

Case  pf  =  Ap 

NAS  =  {Ap} 

Given  a,  such  that  ~^a(i)  2  {Ap}  , 

By  Definition  of  a,  i  lb  p~ , 
o,i\SAp 


Case  pc  =  pcl(p)  A  p 

By  I.H.  on  pft  (p) ,  there  exists  a  set  of  inactions  NASi,  such  that 

p  is  the  performer  of  all  actions  in  NAS i  (1) 

for  all  P(s)  £  NAS i  there  exists  a  P(w)  £  Adp^iip))  such  that 

there  exists  a  substitution  6,  and  P{Ss)  =  P(5w).  (2) 

for  all  ay ,->a(z)  2  NAS ,  oi,ilS  pfi(p)  (3) 

let  NAS  =  NASi, 

By  (1),  I  holds 
By  Definition  of  Ac(pf), 

AcivZxte)  A  V)  =  Acip^ip))  (4) 

By  (4)  and  (2),  II  holds 
By  Given  any  a,  such  that  a(i)  2  NAS 
By  (3), 

d,USpcl(p)  (5) 

By  Definition  of  lb  and  (5), 

o,i¥  p~cl{p)  !\p  (6) 
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Case  cpc  =  ipcl{p)  A  ipc2(p) 

By  I.H.  on  <p~x  (p) .  there  exists  a  set  of  inactions  NASi,  such  that 

p  is  the  performer  of  all  actions  in  Ad  Si  (1) 

for  all  P(s)  £  NAS i  there  exists  a  P(w)  £  Ac{<p~i(p))  such  that 

there  exists  a  substitution  <5,  and  P(Ss)  =  P(5w).  (2) 

for  all  2  NAS,  cri,?'lb  (pf1(p)  (3) 

By  I.H.  on  pf2{p),  there  exists  a  set  of  inactions  NAS\,  such  that 

p  is  the  performer  of  all  actions  in  NAS2  (4) 

for  all  P(s)  £  NAS2  there  exists  a  P(w )  G  Ac((pf2(p))  such  that 

there  exists  a  substitution  S,  and  P(Ss)  =  P(5w).  (5) 

for  all  a2,^a2(i)  2  NAS,  a2 ,i¥  <p~2(p)  (6) 

let  NAS  =  NAS!  U  NAS2, 

By  (1)  and  (4),  I  holds 
By  Definition  of  Ac(yf), 

•Ac(<p7i(p)  a  Vc2 (p))  =  ■ MvZiiP ))  u  -Ac(ip-2(p))  (7) 

By  (7),  (2)  and  (5),  II  holds 
By  Given  any  a,  such  that  a(i)  2  NAS 
By  (3), 

a,i¥  iPciiP)  (8) 

By  (6), 

oA^VZiiP)  (9) 

By  Definition  of  lb, (8)  and  (9), 

<PZ\(P)  a  <P&(P)  (10) 

Case  ip-  =  3x.<p~l{p) 

For  all  t, 

By  I.H.  on  ip~1(p){t/x},  there  exists  a  set  of  inactions  NASt,  such  that 

p  is  the  performer  of  all  actions  in  NASt  (1) 

for  all  P(s)  G  NASt  there  exists  a  P(w)  G  dc((p“1(p){t/a:})  such  that 

there  exists  a  substitution  S,  and  P(Ss)  =  P(Sw).  (2) 

for  all  Si, -<a(i)  2  NASt,  f?i, *  lb  PZ\{p){t/x}  (8) 

let  NAS  =  Ut  NASt, 

By  (1),  /  holds 
By  Definition  of  Ac(<pZ)> 

Ac{3x.(p-i{p))  =  Ac(wZ\(p))  (4) 

By  Lemma  D.9, 

Ac{vZ\  (P){t/x})  =  {-Ac(<pZi(p))){t/x}  (5) 

By  (4),  (2)  and  (5),  given  any  P(s)  G  NAS 

exists  P(wi)  G  {Ac^ZxiP)))  such  that  <5i  =  ( S,t/x )  andP(<5s)  =  P(SiWi)  =  P(Sw)  (6) 

By  Given  any  a,  such  that  a(i)  2  NAS  2  NASt 
By  (3), 

ipci(p){t/x}  (7) 

By  Definition  of  lb  and  (7), 

a,i\ ¥3x.tp~1(p)  (8) 

□ 

Lemma  D.14  (Feasibility  of  Conditions).  Given  a  condition  Kp(x),  for  all  i,  exists  t  such  that  for  all  S, 
k  2  kP,  a,  i  f  Kp(t). 

Proof  (sketch):  By  induction  on  the  structure  of  Kp{x)  □ 

We  further  assume  that  solutions  for  the  constraint  c[x)  on  time  points  are  multiples  of  i. 
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Lemma  D.15  (Monotonicity  of  Pf)- 

Ifo,  i  IK  <p~f  ( p ),  given  o' ,  such  that  o  l±)  o'  is  defined,  then  o  l±l  it' ,i  IK  ip ^  ( p ) 

Proof  (sketch):  By  induction  on  the  structure  of  gfif  (p).  □ 

Lemma  D.16  (Feasibility  of  p~ji (p)). 

I/S;r  h  <pjr(p)  sat  then  Vto,  Vi,  \/S  such  that 

1.  \/t  £  range(5),  3n  >  0,  t  =  to  +  n  ■  i 

2.  S(x)  <  S(y)  if  x  appears  before  y  in  S 

3.  <5(z)  =  to  +  i '  *  where  £  =  £' ,  z 

4.  1=  (5r 

there  exists  a  finite  action  map  a! ,  and  t'  such  that  start(r')  =  to 

I.  Vj  £  dom(a');  j  >  i,  Vj  £  dom(r),  j  >  i 

II.  p  is  the  performer  of  all  actions  in  the  range  of  a' , 

III.  for  all  P(s)  £  range(a’)  there  exists  a  P(w)  £  Af(p~ji(p))  such  that  there  exists  a  substitution  <5° ,  and 
P(6°(s)  =  P(S°(w)). 

IV.  for  all  o,  o  A  ( kp ,  0,  0,  a',  0,  r' ,  0),  o,  i  lb  8pji ( p ) 

Proof.  By  induction  on  the  structure  of  pjl  (p) . 

Most  cases  are  straightforward,  and  we  only  give  a'  and  t'.  We  focus  on  a  few  key  cases  involving  the 
freeze  operator. 

Case  p^  (p)  =  T,  a'  =  0  and  t'  =  0 
Case  p ^  (p)  =  Ap 

a'(i)  =  {8AP},  and  t'  =  {i  i-A  to  +  *  •  *} 

Case  <pf(p)  =  <P/i(p)  A  Pf2(p) 

By  I.H.  on  p^  (p) ,  there  exists  T\  and  a\  that  satisfy  all  the  conditions 
By  I.H.  on  p~ji2(p),  there  exists  r2  and  a2  that  satisfy  all  the  conditions 
t’  =  Ti  U  r2,  and  a'  =  a±  U  a2, 

Case  p ^  (p)  =  <p  (p)  V  <p 

By  I.H.  on  p^^p),  there  exists  t\  and  a\  that  satisfy  all  the  conditions 
r'  =  Ti,  and  a!  =  a\, 

Case  ip~j  (p)  =  3x.Kp(x )  A  (^(p) 

By  Assumptions 

b  i p^(p)  sat 

E;T  b  3x.Kp{x)  A  p^x (p)  sat 
Given  to,  i,  6  such  that, 

\/t  £  range(<5),  3n  >  0,  t  =  to  +  n  ■  i 
8{x)  <  S(y)  if  x  appears  before  y  in  S 
<5(z)  =  to  +  i  ■  i  where  £  =  £',  2 
1=  <5F 

By  Lemma  D.14, 

exists  t  such  that  for  all  o  such  that  n  A  kp ,  o,  i  b  SKp(t) 

By  Lemma  D.7  and  (1), 

b  p*fl(p){t/x}  sat 


Cl) 


(2) 

(3) 

(4) 

(5) 

(6) 
(7) 
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(8) 

(9) 


By  I.H.  on  ip’^1(p){t/x},  and  (1)  to  (5), 

there  exists  an  action  map  ai,  and  Ti  such  that  start(r i)  =  to 
Vj  £  dom(ai),  j  >  i,  and  Vj  £  dom(ri),  j  >  i 
p  is  the  performer  of  all  actions  in  the  range  of  oi 

for  all  P(s)  £  range(ai)  there  exists  a  P(w)  £  Af(ip~f(p){t/x})  such  that 
there  exists  a  substitution  <5°,  and  P(S°s)  =  P(S°(w)). 

Vct,ct  2  (kp,  0, 0,  ai,  0,  ri,  0),  <r,  i  lb  S(p~^1(p){t/x} 

let  t'  =  ti,  a'  =  Oi 
By  (8),  /  holds 
By  (9),  II  holds 
By  Definition  of  A/(<pj  (p)), 

At  0*0  A  <P/i(p))  =  At  A/iO5)) 

By  Lemma  D.9, 

•A'OP/itPMV®})  =  (•^/(V’/ib)))^/®} 

By  (12),  (10)  and  (13),  given  any  P(s)  £  range(a) 

exists  P(wi)  £  (-d/(<P/i(p)))  such  that  <5i  =  ( S°,t/X )  and  P{6°s)  =  P(SiWi)  =  P(S°w ) 
Give  a,  5  3  (rep,  0,  0,  a',  0,  r',  0) 

By  (11), 

lb 

By  (15),  (6), 

a,i  lb  5{3x.Kp(x)  A  (pjjCp)) 

Case  p^(p)  =  OP/iGp) 

By  I.H.  on  ^^(p),  there  exists  ai  and  ti  that  satisfy  all  the  conditions 
a'  =  ai  and  t'  =  ly, 

Case  (pj  (p)  =  <p/2(p)  U  (p) 

By  I.H.  on  <P/r(p),  there  exists  a\  and  n  that  satisfy  all  the  conditions 
k  =  n,  a'  =  ai  and  r7  =  Ti, 

Case  <pj(p)  =  Dp^^p) 

By  Assumptions 

b  <p^(p)  sat 

b  □p^(p)  sat 
Given  to,  A  6  such  that 

Vt  £  range(<5),  3n  >  0,  t  =  t0  +  n  ■  i 
5{x)  <  S(y)  if  x  appears  before  y  in  S 
6(z)  =  r(i)  where  £  =  E',z 

1=  <sr 

By  Lemma  D.8  and  (1), 

•;  <5r  b  Sipj^1(p)  sat 

Given  any  k.  k  >  i,  by  I.H.  on  Sip^1(p), 

there  exists  an  action  map  a*,,  and  Tk  such  that  start(rk)  =  to 
Vj  £  dom(afc),  j  >  fc,  and  Vj  £  dom(rfc),  j  >  k 
p  is  the  performer  of  all  actions  in  the  range  of  oi 
for  all  P(s)  £  range(afc)  there  exists  a  P(w)  £  Af(5ip~f  (p))  such  that 
there  exists  a  substitution  <5°,  and  P(S°s)  =  P(S°(w)). 

Vdjcr  D  (kp,  0, 0,  afc,  0,  rfe,  0),  ct,  k  lb  Sip^(p) 

let  o'  =  Ur=i  r'  =  Ur=i  Tk 
By  (7),  I  holds 
By  (8),  II  holds 


(10) 

(11) 


(12) 

(13) 

(14) 

(15) 

(16) 


(1) 


(2) 

(3) 

(4) 

(5) 

(6) 


(7) 

(8) 

(9) 

(10) 
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By  (9)  and  Lemma  D.9,  III  holds 

Give  <7,  a  2  (kp,  0,  0,  a',  0,  r',  0) 

By  (10)  and  the  definition  of  lb, 

a,  i  lb  Sn^ip)  (11) 

Case  ipj(p)  =lx.<pj1(p) 

By  Assumptions, 

x-,-  1-  <Pf!  (p)  sat 
hlx.tpf^p)  sat 

Given  to,  i  (because  E  is  empty,  <5  is  empty  also), 

By  I.H.  on  <P/i(p)j  let  S  =  t0  +  i  ■  i/x 

there  exists  an  action  map  a\,  and  T\  such  that  start(T\)  =  t0 


Vj  £  dom(ai),  j  >  i,  and  Vj  £  dom(ri),  j  >  i  (2) 

p  is  the  performer  of  all  actions  in  the  range  of  oi  (3) 

for  all  P(s)  £  range(ai)  there  exists  a  P(w)  £  Af(ip~j(p))  such  that 

there  exists  a  substitution  <5°,  and  P(5°s)  =  P(6°(w)).  (4) 

V<7,cr  D  (kp,  0, 0,  oi,  0,  ri,  0),  a,  i  lb  Sip^(p)  (5) 


let  t'  =  7~i  and  a'  =  ai, 

By  (2),  I  holds 

By  (3),  II  holds 

By  (4),  III  holds 

Give  5,5  3  ( kp ,  0,  0,  a',  0,  r',  0) 

By  (5),  S  =  t'(i)/x  and  the  definition  of  lb, 

a,i\\-  Ix.ip^p)  (6) 

Case  ipj{p)  =lx.pj1{p) 

Z,y,x-,T,y  <  x  b  (p'fip)  sat 
S,  p;  T  b  (p)  sat 

Given  to>  i,  6  such  that, 


Vi  £  range(j),  3n  >  0,  t  =  to  +  n  ■  i  (2) 

S(xr)  <  S(y')  if  x '  appears  before  y'  in  E,y  (3) 

6(z)  =  to  where  E  =  S',  z  (4) 

1=  <5r  (5) 

let  <5i  =  6,  to  +  i  ■  i/x, 

By  (2), 

Vi  £  range  (<5i ) ,  3n  >  0,  t  =  t0  +  n  ■  %  (6) 

By  (3),  (4), 

S(y)  =  6i(x),  therefore  Si(x')  <  5i(y')  if  x  appears  before  y  in  Y,,y,x  (7) 

By  (5),  and  6i(y)  =  6i(x)  =  t0  +  i  ■  i 

b<5i(r,y<a;)  (8) 

By  I.H.  on  (^(p),  and  (6)  to  (8), 

there  exists  an  action  map  a\,  and  Ti  such  that  start(ri)  =  to 

Vj  £  dom(ai),  j  >  i,  and  Vj  £  dom(ri),  j  >  i  (9) 

p  is  the  performer  of  all  actions  in  the  range  of  ai  (10) 

for  all  P(s)  £  range(ai)  there  exists  a  P(w)  £  Af(tp~f(p){t/x})  such  that 

there  exists  a  substitution  <5°,  and  P(S°s)  =  P(6°(w)).  (11) 

Vct,ct  2  («p,  0, 0,  ai,  0,  ri,  0),  a,  *  lb  5i<p^(p)  (12) 

let  t'  =  ri,  a'  =  ai 
By  (9),  I  holds 
By  (10),  II  holds 
By  (11),  III  holds 
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(13) 


Give  a,  a  2  («,  0, 0,  a/,  0,  t' ,  0) 

By  (12),  (5i  =  5,t'{i)/x  and  the  definition  of  lb, 
a,i  lb  5-lx.tpf^p) 

Case  (pj  ( p )  =  <0>.J,a;.  c(x)  A  p~jt  (p) 

f  i  ::  E,  y,  x;T,y  <  x,  c(x)  b  p^  ( p )  £2  "  S,  y,  T  b  3z.y  <  x  A  c(x) 


z,y,rh  Oix.c(x)  a  pf(p) 

Given  to,  i,  5  such  that, 

Vi  £  range((5),  3n  >  0,  t  =  to  +  n  ■  i  (2) 

S(x')  <  S(y')  if  x'  appears  before  y'  in  E ,y  (3) 

S(y)  =  t0  +  i-i  (4) 

1=  <5r  (5) 

By  £2  and  (5), 

1=  S(3x.y  <  x  A  c(x))  (6) 

there  exists  rx  such  that  1=  8{y)  <  tx  and  1=  Sc(rx)  (7) 

let  <5i  =  8,tx/x, 

By  (7)  and  (3), 

Si(x')  <  <5i (yr)  if  x  appears  before  y  in  E ,y,x  (8) 

By  (5),  (7), 

1=  <5i(r  ,y<x,c{x))  (9) 

By  assumptions  that  tx  is  a  multiple  of  i, 


let  n  =  i  +  (tx  —  t{i))/i,  let  t[  be  a  mapping  containing  the  only  following  mapping  r'(n)  =  tx, 


By  I.H.  on  p^ip),  and  (8)  to  (9), 

there  exists  an  action  map  a±,  and  t±  such  that  start(r i)  =  to 

Vj  £  dom(ai),  j  >  n ,  and  Vj  £  dom(ri),  j  >  n  (10) 

p  is  the  performer  of  all  actions  in  the  range  of  ai  (11) 

for  all  P(s)  £  range(di)  there  exists  a  P(w)  £  Af(p~f(p){t/x})  such  that 

there  exists  a  substitution  <5°,  and  P(S°s)  =  P(S°(w)).  (12) 

V<t,(7  D  (kp,  0, 0,  ai,  0,  ri,  0),  a,  n  lb  6ip~jt(p)  (13) 


let  t'  =  t[,  a'  =  ai 

By  (10),  I  holds 

By  (11),  II  holds 

By  (12),  III  holds 

Give  a,  a  2  (kp,  0,  0,  a', 0,  r',  0) 

By  (13)  and  (7)  <5i  =  S,r(n)/x  and  the  definition  of  lb, 

a,i  lb  <5^>4,x.c(ir)  A  p~^x (p)  (14) 

Case:  p^x  U  (4,2;.  c(x)  A  p^2{p)) 

Given  to,  i,  8, 

By  I.H.  on  p^2(p),  we  can  find  a  time  point  tx,  which  maps  to  state  n  such  that 
there  exists  a2  and  r2  that  satisfy  all  the  conditions, 

and  for  all  a  75  («p,  0,  0,  a2,  0,  r2, 0),  a,  n  lb  8(],x.c(x)  A  p^2(p))  (1) 

By  I.H.  on  8p^  (p),  there  exists  ak  and  rk  for  each  i  <  k  <  n  that  satisfy  all  the  conditions 

and  for  all  a  2  (kp,  0,  0,  ak,  0,  Tfc,  0),  a,  k  lb  Sp^p)  (2) 

let  a'  =  ax  U  (Jfc=,  ak,  t'  =  tUt2U  UJV  rk 
By  (1)  and  (2), 

for  all  a  D  (kp,  0,  0,  a',  0,  r\  0),  a,  i  lb  8(p^1(p)  U  \.x.c(x)  A  p~f2(p))  (3) 

□ 


Lemma  D.17  (Monotonicity  of  Pf)- 
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If  a,  i  lb  pf(p),  given  a' ,  such  that  a  W  o'  is  defined,  then  cF±)o',i  lb  <p~f  (p) 

Proof  (sketch):  By  induction  on  the  structure  of  ip J .  □ 

Lemma  D.18  (Feasibility  of  <pj(p)). 

I/S;rb  <pj(p)  then  Vr,  Vi,  V<5  such  that 

1.  \/t  £  mnge(S),  3n  >  0,  t  =  to  +  n  ■  i 

2.  5{x)  <  8{y)  if  x  appears  before  y  in  E 

3.  8(z)  =  r(i)  where  E  =  Yf,z 

4.  \=  5r 

there  exists  an  action  map  ~ia' ,  and  and  t'  such  that  staler')  =  to 

I.  Vj  £  dom(-ia'),  j  >  i,  and  Vj  £  dom(r'),  j  >  i 

II.  p  is  the  performer  of  all  actions  in  the  range  of  ~<a' , 

III.  for  all  P(s)  £  range(~^a')  there  exists  a  P(w)  £  Af(tpJ(p))  such  that  there  exists  a  substitution  6°,  and 
P(5°(s)  =  P(8°(w)). 

IV.  for  all  o,  a  2  ( kp ,  0, 0, 0,  -■  a',  t',  0),  a,  i  lb  SpJ ( p ) 

Proof  (sketch):  By  induction  on  the  structure  of  (pf(p).  The  proof  is  very  similar  to  Lemma  D.16.  □ 

D.2.4  Feasibility  Theorems 

To  prove  feasibility  theorems,  we  first  prove  several  stronger  lemmas,  which  require  stronger  definitions  for 
feasibility.  The  general  structure  of  these  feasibility  definitions  are  as  follows. 


H(o,  i,  Sa ,  to) 

G(a,  -ia,  r,  i,  Sa,  to) 
V{d,i,  $>) 


(o  | j_i=  0)  A  (a \i=  o)  A  start(r)  =  to  A  Vp  £  Sa,  (S  \£=  0)  A  \/p  £  Sa,  k£>  np 
to  be  defined 
to  be  defined 


GF'(0,  $,  Sa)  =  Vo0,H(o0,0,Sa,t0)D 

3a'0,  ~^a'0,  Tg,  G(a'0,  ->a'0,  t’0,  0,  Sa,  t0) 

A  do  W  (0,  0,  Oq,  -iOq,  Tq,  0)  is  well-defined 
A  Vo' ,  o'  |o=  0  A  (?'  W  t?o  W  (0, 0,  a'0,  a'0 ,  Tq,  0)  is  well-defined  D 
V(a'i£a0  l±l  (0, 0,  a'0,  ~'a'0,  t'0,  0),  0,  $) 

^  [  )^0,a'0,^a'0,T^ 

GF'(j,  <I>,  Sa) 

GF'(j  -  1,  <f>,  Sa)[Vdj,H(fjj,j,  Sa,  to)  D 

(3a' ,  -i a) ,  t' ,  G(a' ,  ->a'- ,  t',  j,  Sa,t0) 

A  Wfc=o  W  l±lLo(0’  afc’  _,afe>  0)  is  well-defined 
A  Vo',  a'  | j=  0A?'W  l+li=0  &k  W  (+)fc=o(0, 0,  a'fc,  ^a'fc,  r'k,  0)  is  well-defined  D 
v w  WjUo  w  l±Ji=o(0, 0,  r’k,  0),  j,  $) 


The  definition  of  GF'(a,j,$>)  is  very  similar  to  the  definition  of  GF(p,j,&).  We  left  abstract,  the 
properties  for  the  existentially  quantified  action  map,  inaction  map  and  time  stamp  map;  and  the  properties 
of  the  final  trace.  Each  feasibility  lemma  will  instantiate  G  and  V  so  that  the  induction  hypothesis  is  strong 
enough  to  prove  the  lemma. 

In  the  special  case  when  Sa  =  {p},  we  simply  write  GF'(j,  <b,p). 


41 


Lemma  D.19  (Feasibility  of  (rl)  in  one  state). 

Given  state  i,  a  such  that  n  D  kp  ,  and\/j  >  *,VP  £  a(j),  p  is  not  the  performer  of  P,  there  exists  a  set 
of  inactions  NAS  such  that 

I.  p  is  the  performer  of  all  actions  in  NAS , 

II.  for  all  P(s)  £  NAS  there  exists  a  P(w)  £  Ac(<pf{p))  such  that  there  exists  a  substitution  5,  and 
P{S(s)  =  P(S(w)). 

III.  given  any  well-formed  trace  o'  such  that  -i a'{i)  2  NAS,  then  Tr{o'),i  \=  'ix.p~  D  ppast 


Proof. 

Given  o\,  Given  any  t  for  x 
By  Lemma  D.13, 

there  exists  a  set  of  inactions  NASt  such  that, 

p  is  the  performer  of  all  actions  in  NASt  (1) 

for  all  P(s)  £  NASt  there  exists  a  P(w)  £  Ac(pf(p))  such  that  (2) 

there  exists  a  substitution  5,  and  P(8(s))  =  P(S(w))  (3) 

for  all  o,~>a{i)  D  NASt.,o,i  IF  (p~{p){t/x}  (4) 

By  Lemma  D.10, 

Tr{o),iF  p~(p){t/x}  (5) 

By  Definitions  of  l=, 

Tr(o),i\=  (ip~(p)  D  <ppast){t/x}  (6) 

let  NAS  =  |Jt  NASt, 

By  (1),  I.  holds 

By  (2),  and  Lemma  D.9  II.  holds 

By  (6),  Given  any  o'  such  that  ~<a(i)  D  NAS 

Tr(o'),  k  t=  (p)  D  ipPast )  (7) 

□ 


Lemma  D.20  (Strong  Feasibility  of  (rl)). 

Let  G(a,~<a,T,i,p,t0)  =  (a  =  0)  A  (dom(r)  =  {i})  A  start(r)  =  t0  A 

dom(-ia)  =  {«}  A  VP  €  ~<a(i),  p  is  the  performer  of  P 
LetV(o,i,&)  =V  G  ipt  £  $,Tr(o),i\=  ipt 

For  all  j,  GF'(j,{ G  (\/x.ip~{p)  D  ppast)},P ) 

Proof.  By  induction  on  j. 


Case:  j  =  0 

Give  any  oq  such  that, 

ao|p  =  0,Ko2Kp  (1) 

By  Lemma  D.19, 

there  exists  a  set  of  inactions  NAS  such  that, 

p  is  the  performer  of  all  actions  in  NAS ,  (2) 

given  any  o'  such  that  -> a'(i)  D  NAS 

if  o'  is  well-formed,  then  Tr(S'),i  t=  'ix.tp~  D  ppast  (3) 

let  o'  =  0,,  r'(0)  =  To (0) ,  -’a'(O)  =  NAS 
By  (2), 

G(a',  -ia',  t',  0,p,  to)  holds  (4) 

By  the  actions  in  oq  and  —>a'  belong  to  different  performers, 

o0  tt)  (0,  0,  a' ,  ~^a' ,  t',  0)  is  well-defined  (5) 

By  (3)  and  (5), 

Trifj o  W  (0, 0,  a',  ~^a',  r',0)),ON  Vx.(ip~  (p)  D  ppast )  (6) 
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Case:  j  =  k 

By  I.H.  on  (k-1), 

GF'(k  -  1,  {\/x.ip~  D  ippast},  M)  (1) 

To  show  GF'(k,  {G  (Vx.<p~(p)  D  ppast )},  M),  we  unfold  GF’(k  -  1,  {G  (Vx.<p~(p)  D  ppast)},  M), 
and  the  first  k  —  1  layers  of  alternating  V  and  3  quantification  in  GF'(k ,  {G  (\/x.ip~(p)  D  <ppast )},  {p}), 


will  be  discharged  by  GF'(k  -  1,  {G  (V£.<pc  (p)  D  <ppast)},  {p}), 
now  we  are  obtained, 

VO  <n<k,  ( an  |„_i=  0)((Tn  |„=  Sn),  start(Tn)  =  ro(0),  ( an  \£=  0),  nn  D  np  (2) 

VO  <  n  <  k,anp  =  0,VP  £,-> anp  p  is  the  performer  of  P,  dom(-ianp)  =  dom(rnp)  =  {n}  (3) 

start{rnp)  =  r0(  0)  (4) 

7V(cr o  W  (0,0,  UpO;  T'pO;  0)  13  •  •  *  1±3  y  (0,  0,  apn,  ]apn,  Tpn,  0)),  7T  k  \/x.(pc  ID  pPast } ,  {p}  (h) 

Give  any  ak,  such  that 

(ak  \k-i=  0)(t?fc  U=  {&k  |p  =  0),  startfjk)  =  ro(0),  nk  D  kp  (6) 

Let  a  =  t?0  y  (0, 0,  a'0,  ~<a'0,  t'0,  0)  y  •  •  •  y  cr*, 

By  Lemma  D.19, 

there  exists  a  set  of  inactions  NAS  such  that, 

p  is  the  performer  of  all  actions  in  NAS,  (7) 

give  a'  such  that  -<a'(i)  A  NAS 

if  a'  is  well-formed,  then  Tr(a'),i  k  \/x.p~  D  tppast  (8) 

let  a'  =  0,  r'(k)  =  Tk(k),  ~>a'(k )  =  AVIS' 

By  (7),  (2), 

G(a' ,->a' ,t' ,k,p,  to (0))  holds  (9) 

By  the  actions  in  Sk  and  —ia'  belong  to  different  performers, 

a  y  (0,  0,  a',  ~<a',  r',  0)  is  well-defined  (10) 

By  (8)  and  (10), 

Tr{a\S  (0,0,a',-.a',T',0)),  k  k  \/x.p~  D  <ppast  (11) 


□ 


Lemma  D.21  (Feasibility  of  (r2)  in  one  state). 

Given  state  a,  i  such  that  n  D  kp,  k  ppast  fin,  k  ip^(p)  sat  and  Af(p^(p))  k  ppast>  there  exists  a 
finite  action  map  ap,  and  rp 

I.  Vj  £  dom(ap),  j  >  i,  Vj  £  dom(rp),  j  >  i,  and  start(rp )  =  start{r) 

II.  p  is  the  performer  of  all  actions  in  the  range  of  ap, 

III.  for  all  P(s)  £  range(ap)  there  exists  a  P(w)  £  Af(ip~f(p))  such  that  there  exists  a  substitution  6°,  and 
P(6°(s)  =  P(S°(w)). 

IV.  given  any  a'  such  that  a'  |j=  0  and  5'yJy  (0, 0, 0,  ap,  0,  tp,  0)  is  well-defined,  then  Tr(a'  y  a  y 
(0, 0, 0,  ap,  0,  tp,  0))  k  \/x.(ppast  D  pj) 


Proof. 

Given  a,  i,  such  that  k  ID  kp 
By  Lemma  D.4, 

there  is  a  finite  set  of  substitutions  A  such  that  V<5  £  A,  Tr{d),i  k  5ippast  (1) 

for  each  6  £  A, 

By  Lemma  D.16, 

there  exists  a  finite  action  map  ap,  and  rp  such  that  start{rp)  =  r(0) 

Vj  £  dom(oip),  j  >  i  (2) 

p  is  the  performer  of  all  actions  in  the  range  of  ap  (3) 

for  all  P(s)  £  range(ap)  there  exists  a  P(w)  £  Af(8ip~f(p))  such  that 

there  exists  a  substitution  5°,  and  P(S°(s})  =  P(8°(w)).  (4) 

for  all  D  (kp,  0,  0,  asp,  0,  rp,  0),  a,  i  Ik  Sip^(p)  (5) 
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(6) 


let  ap  =  U50p,  tp  =  U5Tp5, 

By  (2),  I.  holds 
By  (3),  II.  holds 
By  (4)  and  Lemma  D.9, 

III.  holds 

if  a  ttl  (0, 0,  0,  ap,  0,  rp,  0)  is  well-defined, 
Given  any  a',  such  that  a’  |j=  0 
By  (5), 


5'itJSy  (0, 0, 0,  ap,  0,  Tp,  0),  i  II-  Sipjl(p)  (7) 

By  Lemma  D.10, 

Tr(a'  l±l  a  ttl  (0,0,0,  ap,  0,rp,0)),i  1=  6tpf(p)  (8) 

By  Lemma  D.6,  (6)  and  Lemma  D.2, 

Tr(a'  W  ct  l±l  (0, 0, 0,  ap,  0,  tp,  0)),  *  1=  <5ppas*  (9) 

and  V<5'  ^  A,  Tr^cr'  ttl  tr  ttl  (0, 0,  0,  ap,  0,  rp,  0)),  i  F  5VPaSt  (10) 

By  Definitions  of  l=,  (9)  and  (8), 

Tr(a'  ttl  <r  ttl  (0, 0, 0,  ap,  0,  rp,  0)),  *  t=  <5(ppQSt  D  <p^(p))  (11) 

By  Definitions  of  1=  and  (11), 

Tr(a'  ttl  <?  ttl  (0, 0, 0,  api  0,  rpi  0)),  *  1=  \/x.(ppast  D  <fif(p))  (12) 

□ 


Lemma  D.22  (Strong  Feasibility  of  (r2)). 

Let  G(a ,  ~>a,  r,  i,p,  to)  =  (->  a  =  0)  A  Vfc  £  dom(a),  k  >  i  A\/k  £  dom(r),  k  >  i  A  start(r )  =  to  A 
Vfc  £  dom(a),VP  £  a(k),  p  is  the  performer  of  P 
LetV(a,i,d>)  =  V  G  £  <5,  Tr(d),  i  1=  ipi 


7/F  <£past  fin,  •;  •  F  <pf  and  Af(ipj(p))  F  <PpaSt)  tfien  for  all  j,  GF'(j,  {G  ( \/x.ppast  D  <P/ (p))},p) 
Proof.  By  induction  on  j. 


Case:  j  =  0 

Give  any  Sp  such  that, 

ao|p  =  0,KO2Kp  (1) 

By  Lemma  D.21, 

there  exists  a  set  of  inactions  a  finite  action  map  a' ,  and  r7  such  that, 

start[r')  =  r0(0)  (2) 

Vn  £  dom(a,))  n  >  i,p  is  the  performer  of  all  actions  in  the  range  of  a' ,  (3) 

given  any  a"  such  that  a"  |o=  0  if  a'  ttl  <?o  ttl  (,  0,  0,  a',  0,  r',  0)  is  well-defined 
then  a"  ttl  a0  ttl  (0, 0, 0,  a',  0,  r',  0),  0  t=  \/x.(ppast  A  (4) 

let  -10/  =  0, 

By  (3),  (2), 

G(a',  -ia',  r',  0,p,  ro(0))  holds  (5) 

By  the  actions  in  cto  and  —>a'  belong  to  different  performers, 

do  ttl  (0,  0,  a',  ->a',  r',  0)  is  well-defined  (6) 

By  (4), 

Trfa"  ttl  CT0  W  (0,  0,  a',  ->a',  r',  0)),  0  F  Vx.ppast  D  yf  (p)  (7) 


Case:  j  =  k 

By  I.H.  on  (k-1), 

GF\k  -  1,  {V  G  (x.ppast  D  cp+(p))},  {p})  (1) 

To  show  GF'(k,  {G  ( Vx.tppast  D  <P/ (p))},  M),  we  unfold  GF'(k-  1,{G  ( Wx.tppast  D  P/ (p))},  {p}), 
and  the  first  k  —  1  layers  of  alternating  V  and  3  quantification  in  GF'{k ,  {G  ( yx.<ppaat  A  (p))},  {p}), 
will  be  discharged  by  GF'{k  -  1,  {G  (\/x.ippast  D  <Pf(p))j,  {p}), 
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now  we  are  obtained, 

VO  <  n  <  k,  (an  |„_i=  0)(<x„  |„=  an),  start{rn)  =  ro(0),  (on  \f=  0),  nn  2  (2) 

(-i anp  =  0),Vto  €  dom(anp),m  >  n  (3) 

start{Tnp)  =  ro(0)  (4) 

VP  £  range(ap„),p  is  the  performer  of  P  (5) 

Give  any  o>;.  such  that 

(<?fc  |fe_i=  0)(t?fc  |fc=  <7fc),  (tJfc  |j*=  0),  start(rk )  =  r0( 0),  2  (6) 

Let  ct  =  tr0  W  (0,  0,  a'0,  ^a'0,  t'0,  0)  W  •  •  •  W  <rfe, 

By  Lemma  D.21, 

there  exists  a  set  of  inactions  a  finite  action  map  a' ,  and  P  such  that, 

Vn  £  dorn(a'),  n  >  i,p  is  the  performer  of  all  actions  in  the  range  of  a',  (7) 

Vn  £  r(a'),n  >  i,  and  start(r')  =  to(0)  (8) 

given  t?"  such  that  a"  |jt=  0  if  a"  W  a  W  (,  0,  0,  a',  0,  P,  0)  is  well-defined 

then  a"  l±)  a  W  (0,  0, 0,  a',  0,  P,  0),  k  \=  Vx.tppast  D  ip^  (9) 

let  -i  a'  =  0, 

By  (7),  (8), 

G(a', -ia',  P,  0,p,  ro(0))  holds  (10) 

By  the  actions  in  ok  and  -p  belong  to  different  performers, 

<7  W  (0, 0,  a',  ->a',  P,  0)  is  well-defined  (11) 

By  (9), 

Tr(a”  tfcl  a  «  (0,  0,  a',  -V,  P,  0)),  0  t=  Vx.ppast  D  ( p )  (12) 


□ 


Lemma  D.23  (Feasibility  of  (r3)  in  one  state). 

Given  state  i,  a  such  that  n  2  kp, 

•;  •  h  tpj(p)  sat  there  exists  a  finite  action  map  ~^ap,  and  tp 

I.  Vj  £  dom(^ap),  j  >  i,  \/j  G  dom(rp),  j  >  i,  and  start(rp)  =  start(r) 

II.  p  is  the  performer  of  all  actions  in  the  range  of  ~^ap, 

III.  for  all  P{s)  G  range(~^ap)  there  exists  a  P(w)  G  Af(pJ(p))  such  that  there  exists  a  substitution  S°,  and 
P(6°(s)  =  P(S°(w)). 

IV.  given  any  o'  such  that  o'  |*=  0  and  (7/tt)att)(0,  0,  0,  ap,  0,  rp,  0)  is  well-defined,  then  (7,tt)aW(0, 0,  0,  0,  ->ap,  tp,  0)  t= 
V x.ppast  D  Pf 

Proof  (sketch):  Similar  to  the  proof  of  Lemma  D.19  □ 

Lemma  D.24  (Strong  Feasibility  of  (r3)). 

Let  G(a,  -<a,  r,  i,p,  to)  =  (-> a  =  0)  A  \/k  G  dorn(a),  k  >  i  A  \/k  G  dom(r),  k  >i  A  start(r)  =  to  A 
Vfc  G  dom(a),VP  G  a[k),  p  is  the  performer  of  P 
LetV(o,i ,  $)  =  V  G  ^  G  $,  Tr(o),i  t=  <fii 

For  all  j,  GF'(j,  {G  ( \/x.ippast  D  ipf  ip))},p) 

Proof  (sketch):  Similar  to  the  proof  of  Lemma  D. 20  □ 

Theorem  D.25  (Feasibility  of  a  single  responsibility). 

FI.  G  \/x.ipf(p)  D  tppa.st  is  feasible  for  agent  p 

F2.  G  Vx.ppast  D  Pf  (p)  is  feasible  for  agent  p  if  h  <ppast  fin,  •  h  ipjl  and  Af(p~f  (p))  h  <ppast 
F3.  G  \/x.ippast  D  pjip)  is  feasible 
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□ 


Proof. 

FI.  By  Lemma  D.20. 

F2.  By  Lemma  D.22. 

F3.  By  Lemma  D.24. 

Lemma  D.26  (Feasibility  compositions  for  one  agent  in  one  state).  Let  $  be  a  set  of  responsibilities,  and 
<f>  =  <1>C,  where  V  G  p  £  p  is  of  the  form  \/x.pf  (p)  D  ppaat >  V  G  p  £  &f+,  P  is  of  the  form 

Wx.ifipast  3  Pf  (p),  and  VG^e  $/_,  p  is  of  the  form  Vx.ppast  3  pj  (p). 

1.  for  all  G  (\/x.ppast  D  pj (p))  £  <F/_,  •;  •  b  pf  sat 

2.  for  all  G  ( Vx.ppast  D  Pf(p))  £  $/+,  b  ppast  fin,  b  ‘Pf  sat  and  A/(pf(p))  b  ppast 

3.  for  any  two  responsibilities  G  (Vafi .ppasti  D  ^/i (p))  £  $/+>  G  {^x2.ppast2  3  P%{p))  £  $/+> 

Af{Pfj(p))  b  Ppasti  (i  =  1)  2,  j  =  1,  2,  i  j ) 

4-  for  any  two  responsibilities  G  (\/xi.ppasti  D  <P/i(p))  £  <f>/+,  G  ( Sfx2.ppast2  3)  pf2(p))  £  4>/_,  for  all  S, 
SAfip^ip))  n  SAf{pj2(p))  =  0 

5.  for  any  two  responsibilities  G  (Vafi.<ppogti  D  (^(p))  £  $/+,  G  ( yx2.pf2{p )  D  <pPaSt2)  £  $0 

(a)  either  for  all  5,  SAf(p~f1{p))  D  dAc(p~2(p))  =  0 

(b)  or  ippasti  =  Pp,  and  for  all  P  £  -4c(<p“2(p)),  for  each  mgu  5  such  that  SP  £  S(Af(p~ji1(p))) , 
6pp  b  Sppast 2 

Given  any  o,  i  such  that 

1.  fi3  KP, 

,2.  Vj  >  i,  VP  £  a(j)  such  that  p  is  the  performer  of  P,  3  G  pi  £  <f>/+  and  pi  =  \/x.ppast  3  <P/(p)>  3fc, 
3(5  such  that  k  <  i,  and  o,k\=  5 ppast,  and  o,  k  lb  5p~^  3 P'  £  „4/((5<Pj  (p)),  and  35°,  and  P  =  S°P ' 

3.  Vj  >  i,  VP  £  -ia(j)  sac/i  that  p  is  the  performer  of  P,  3  G  p.t  £  4>^_  and  pi  =  Vx.ppast  D  pj(p)> 
3 P'  £  Af(<pJ(p)),  3<5°,  and  P  =  6°P' 

there  exists  ap,  ~^ap,  tp,  such  that 

1.  Vfc  £  dom(ap),  k  >  i,\/k  £  dom(-iap),  k  >  i  A  and  Vfc  £  dom(rp),  k  >  i  and  start(rp )  =  start(r ) 

2.  VP  £  range(ap),  p  is  the  performer  of  P  A 
5.  VP  £  range(~^ap),  p  is  the  performer  of  P  A 

j.  Vfc  £  dom(ap),VP  £  ap(k),  3  G  ( yx.ppast  D  Pf(p))  £  $/+,  3(5  such  that  a  tt)  (0,  0,  ap,  ^ap,  rp,  0),  i  b 
5pPast,  and  o  l±)  (0,  0,  ap,  ->ap,  rp,  0),  i  lb  <5<p^  3P' £  Vl/((5<p^(p)),  and  3(5°,  andP  =  S°P ' 

5.  VP  £  (-iap(i)),  3  G  <p;  £  <F/_,  such  that  3 P'  £  Af(pj(p))  UAc(p~(p)),  3(5°,  and  5°P  =  S°PI 

6.  Vfc  £  dom(-iap),fc  >  i,VP  £  ap{k),  3 P'  £  Af(pJ(p)),  3<5°,  and  S°P  =  5°P'. 

7.  o  W  (0,  0,  ap,  ->ap,  rp,  0))  is  well-defined, 

8.  given  any  o'  such  that  o'  |*=  0,  \/pi  £  4>,  i/  o'  l±)  o  W  (0,  0,  ap,  ->ap,  rp,  0)  is  well-defined  then  o'  tt)  o  tt) 
(0,0,  ap,^ap,rp,0),i  lb  ^ 

Proof. 

Given  any  o,  i,  such  that 

k  2  kp  (1) 

Vj  >  i,  VP  £  a(j)  such  that  p  is  the  performer  of  P, 

3  G  pi  £  <f>/+  and  =  Vx.<ppQSt  D  (p),  3fc,  3<5  such  that  k  <  i, 

and  a,  k  b  Sppast,  o,  k  lb  6p~j,  and  3P7  £  Af(6p^  (p)),  and  3(5°,  suchthatP  =  <5°P'  (2) 

Vj  >  i,VP  £  -ia(j)  such  that  p  is  the  performer  of  P, 
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(3) 


3  G  tpi  £  <f>/_  and  p,  =  Vx.tppast  A  pf  (p),3P'  G  Af(<pf  (p)),  35°,  and  5°P  =  5°P' 


let  t°  =  start(r ), 

Given  any  ipr i  =  'ix.ip~  (p)  A  ppast  such  that  G  tpr i  G  d>c, 

Given  any  t  for  x, 

By  Lemma  D.13, 

there  exists  a  set  of  inactions  NASt  such  that, 

p  is  the  performer  of  all  actions  in  NASt  (4) 

for  all  P(s)  G  NASt  there  exists  a  P(w)  G  Vlc(p“(p))  such  that 

there  exists  a  substitution  S,  and  P(S(s))  =  P(S(w))  (5) 

for  all  a,-ia(i)  A  NASt,S,i^  (p){t/x}  (6) 

Given  any  <pr 2  =  Vaf.ppast  A  Pf(p)  such  that  G  ipr 2  G  $/+, 

By  Lemma  D.4, 

there  is  a  finite  set  of  substitutions  A  such  that  V<5  G  A,  Tr(S),i  t=  5ppast  (7) 

for  each  S  G  A, 

By  Lemma  D.16, 

there  exists  a  finite  action  map  ap,  and  rp  >-  t° 

Vj  G  dom(ap),  j  >  *,Vj  G  dom(Tp),  j  >  i  (8) 

p  is  the  performer  of  all  actions  in  the  range  of  ap  (9) 

for  all  P(s)  G  range(ap)  there  exists  a  P(w)  G  Af(6ip^(p))  such  that 

there  exists  a  substitution  5°,  and  P(S°(s))  =  P(6°(w)).  (10) 

for  all  well- formed  ay, Sj  A  (kp,  0,  0,  apl  0,  ,  0),  oj,  *  lb  Sip^(p)  (11) 


let  a'p  =  Ua  «P,  rpl  =  r$, 

Given  any  ipr 3  =  \/x.ippast  A  pj(p)  such  that  G  tpr 2  G  <f>/+, 
for  each  t  for  x, 

By  Lemma  D.18, 

there  exists  a  map  ~^at,  and  rt  >-  t° 


Vj  G  dom(at),  j  >  i,Vj  G  dom(rt),  j  >  *  (12) 

p  is  the  performer  of  all  actions  in  the  range  of  at  (13) 

for  all  P(s)  G  range(at)  there  exists  a  P(w)  G  Af(5<pJ(p))  such  that 

there  exists  a  substitution  5°,  and  P(S°(s ))  =  P(8°(w)).  (14) 

for  all  well-formed  3j,3j  A  (rep,  0,  0,  0,  at,  0,  rt,  0),  aj,  *  lb  5ipj(p)  (15) 


let  -ifflp  =  Ut  au  tp 2  =  U t  t*. 

let  ap  =  a'p,  ~^ap  =  ->a'p  U  {i  (Jt  u  «(*)}}>  tp  =  Tpi  u  tp2 

By  (8),  (12),  1  holds 

By  (4),  (9),  (13),  2  and  3  hold 

By  (10),  4  holds 

By  (5),  (14),  5  and  6  hold 

By  assumption  3  about  p,;,  (5),  (10)  and  (14), 


Vfc,  ap(fc)  D  —<ap(k)  =  0  (16) 

By  the  definition  of  _,ap, 

Vfc,  a(fc)  (~l  ~^ap(k)  =  0  (17) 

By  assumption  3  about  p,;,  (3)  and  (10), 

Vfc,  -ia(fc)  n  ap(fc)  =  0  (18) 

By  (16),  (17)  and  (18), 

a  W  (0, 0,  ap,  ~^ap,  rp,  0)  is  well-defined  (19) 

Given  any  <t',  such  that  a'  |$=  0,  and  given  any  G  Vx.tppast  A  p)T  (p)  G  $/_ 

By  (15), 

S'  W  a  a  (0,  0,  dp,  -~iap,  rp,  0)  lb  Vx.ppast  A  p/  (p)  (20) 


Given  any  cr',  such  that  S'  |j=  0,  and  given  any  G  'ix.tppast  A  pj3  (p)  G 
By  Lemma  D.6,  (7)  and  assumption  3  about  p*,  and  Lemma  D.2 
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given  the  finite  set  A  such  that  \/6  £  A,  Tr(o ),  i  t=  5(ppast  and  VP  ^  A,  Tr(a),i  ¥-  8'ppast 
Tr(d'  W  a  W  (0,  0, 0,  ap,  ~^ap,  tp,  0)),  i  t=  5ippast  (21) 

and  VP  ^  A,  Tr(o'  W  a  W  (0, 0,  0,  ap,  -<ap,  tp,  0)),  i  ¥  8' ppast  (22) 

By  (10), 

5'wSa  (0, 0,  ap,  — 'Op,  tp,  0)  lb  (p)  (23) 

By  Definitions  of  II— ,(21) ,  (22)  and  (23), 

Tr(o'  Watt)  (0,  0, 0,  ap,  ~^ap,  tp,  0)),  i  lh  \/x.(ppast  D  Pf(p))  (24) 

Given  any  a',  such  that  o'  |*=  0,  and  given  any  G  Vxi.<p“(p)  D  <Ppasti  £  4?c 
Given  any  8X i  for  xi,  there  are  three  cases  (i),  (ii)  and  (Hi) 

(i) .  NASt  H  (ap(i)  U  a(i))  =  0, 

By  (6), 

a' Wa  W  (0,0,ap,^ap,Tp,0)ih  5xltp~(p)  (25) 

(ii) .  3 P  £  NASt  H  (ap(i)), 

By  (5), 

3 Pi  £  Ac(8x\p~  (p))  such  that  3p  and  P  =  5\P\  (26) 

By  Lemma  D.9, 

3 P[  £  Ac(p~(p))  such  that  Pi  =  8X\P[  (27) 

By  the  definition  of  ap  and  (10), 

3  G  (Vx2.v?past2  D  ipf(p))  £  $/+  such  that  3<5x2  andTr(a),i  t=  Sx2(ppast2),  and  (28) 

3P2  £  A/(8x2(p^(p)))  such  that  362  and  P  =  S2P2  (29) 

By  Lemma  D.9, 

3P2  £  Af(ip~ji(p))  such  that  P2  =  Sx2P2  (30) 

By  (26),  (27),  (29)  and  (30), 

there  exists  a  most  general  unifier  5°  for  P[  and  P2 ,  such  that 

S1Sx1  =  5'S0,S2Sx2  =  S'5°,  (31) 

By  assumption  4(6)  about  <pi  £  4>, 

Ppast2  =  PP  and  5® Ppast2  b  8®ppastl  (32) 

By  substitution  lemma  on  the  proof  rules, 

8'80ppast2  h  8'8°ppastl  (33) 

By  Lemma  D.6,  (28)  and  assumption  2  about  <p,;  and  Lemma  D.2 

Tr(o'  W  a  W  (0,  0, 0,  ap,  ->ap,  tp,  0)),  i  1=  Sx2ppast2  (34) 

By  Proof  theory  is  sound,  (34),  (31)  and  8xippasti  is  closed, 

Tr(o’  W  a  W  (0,  0, 0,  ap,  ->ap,  tp,  0)),  i  I =  8xlppasti  (35) 

(Hi).  3 P  £  NASt  n  a(i)), 

By  (5), 

3Pi  £  Ac(8xip~  (p))  such  that  3<5i  and  P  =  pPi  (36) 

By  Lemma  D.9, 

3P{  £  Ac(p~(p))  such  that  Pi  =  5X\P[  (37) 

By  (2), 

3  G  (V£2.<Ppast2  D  iPf(p))  £  $/+  such  that  3k,  k  <  i,  3Sx2  and  Tr(o),i  1=  8x2(ppast2),  and  (38) 
o,k  lb  8x2pj2  and  3P2  £  Af(8x2(p^(p)))  such  that  3<52  and  P  =  S2P2  (39) 

By  Lemma  D.9, 

3P2  £  Af(<p~f(p))  such  that  P2  =  8x2P2  (40) 

By  (37),  (38),  (39)  and  (40), 

there  exists  a  most  general  unifier  5°  for  P{  and  P2,  such  that 

815xl=8'8°,S28x2  =  8'8°,  (41) 

By  assumption  5(6)  about  <p*  £  <4>, 

(Ppast2  —  Pp  and  5® pPast2  b  8®ppasti  (42) 

By  substitution  lemma  on  the  proof  rules, 

8'8°<pPast2  b  8'8°ppast\  (43) 

By  Lemma  D.6,  (39)  and  assumption  3  about  ipi  and  Lemma  D.2 
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Tr(a'  ttl  d  a  (0, 0, 0,  ap,  ->ap,  tp,  0)),  k  \=  5x2ppast2  (44) 

By  <pPast2  =  Pp  and  Lemma  D.3, 

Tr(d’  a  a  a  (0,  0, 0,  ap,  -> ap ,  tp,  0)),  i  \=  8x2ppast2  (45) 

By  Proof  theory  is  sound,  (45),  (43)  and  8xl Ppasu  is  closed, 

Trfd'  a  a  a  (0,  0, 0,  ap,  ~^ap,  tp,  0)),  i  t=  8xlppasti  (46) 

By  (25),  (35),  (46), 

Tr(d'  a  <7  a  (0, 0, 0,  ap,  -Kip,  tp,  0)),  i  lb  Vfi .pcl(p)  D  tppasti  (47) 

□ 


We  make  a  small  change  to  the  structure  of  GF' .  Now  the  abstract  predicate  G  takes  an  additionally 
argument  a.  In  the  definition  of  GF',  G  is  supplied  with  1+J^.=0  dk  a  l+Jfc/o(0,  °fc>  ~na'k^T'k^  level  3- 

Lemma  D.27  (Strong  feasibility  compositions  for  one  agent).  Let  $  be  a  set  of  responsibilities,  and  $  = 
<hc,  4>/+,  $/_  where  V  G  ip  £  $c,  tp  is  of  the  form  \/x.pf(p)  D  pPast,  V  G  tp  £  $>f+,  p  is  of  the  fot'm 
Vx.ppast  7)  Pf  ( p ),  and  V  G  p  £  $/_,  p  is  of  the  form  Vx.ppast  7)  pj  (p). 

Let  G(d,  a,  ->a,  r,  i,p,  t0)  =  Vfc  £  dom(a),  k  >  i  A  V/c  £  dom(-ia),  k  >  i  A  Vfc  £  dom(r),  k  >  i  A  startir )  =  t0  A 

VP  £  range{a),  p  is  the  performer  of  P  A 
VP  £  range(~^a),  p  is  the  performer  of  P  A 
Vfc  £  dom(a),VP  €  a(/c), 

3  G  35  such  that  d,i  t=  5ppast,  and 

d,  i\\- 5p~f  3P'  £  Af(5p-f  (p)),  and  36°,  andP  =  S°P ' 

VP  £  (-.a(*)),  3P'  G  Af{pJ(p))UAc{p-{p)),  35°,  and  S°P  =  S°P ' 

Vfc  G  dom(^a),fc  >  i,VP  G  a(fc), 

3P'  G  Af(pj(p)),  35° ,  and  S°P  =  S°P'. 

Let  V (d,  i,  $)  =  V  G  pi  G  $,  Tr{d),  i  lb  tpi 


then  for  all  j,  GF'(j,$,p)  if 

1.  for  all  G  (Vx.ppast  7)  pj  (p))  G  •;  •  b  pf  sat 

2.  for  all  G  ( Mx.ppast  7)  Pf  (p))  G  $/+,  b  ppast  fin,  I-  Pf  and  Af(p~^{p))  b  ppast 

3.  for  any  two  responsibilities  G  (f3x\.ppasn  D  p^ (p))  G  $/+,  G  {\/x2.ppast2  D  Pf2(p ))  €  $>/+, 

■AfiPfjip))  B  Ppasti  (i  =  1)  2,  j  =  1, 2,  *  ^  j) 

4-  for  any  two  responsibilities  G  (Vxi.<ppasti  7)  <P/i(p))  G  $/+,  G  iyx2.ppast2  D  pj2(p))  V  $/-,  /or  all  8, 
SAfip^ip))  (3  M/(^2(p))  =  0 

5.  /or  any  two  responsibilities  G  (Vafi.<ppasti  D  <P/i(p))  G  $/+,  G  (yx2.pf2(p)  D  ppast2 )  €  4>c, 

/a/  either  for  all  S,  8Af(p'i1{p))  D  8Ac{pff2(p))  =  0 

(b)  or  Ppasti  =  Pp>  and  for  all  P  G  Ac(p~2(p)),  for  each  mgu  8  such  that  8P  G  8(Af(pf1(p))), 
8pp  b  8ppast2 


Proof.  By  induction  on  j. 


Case:  j  =  0 

Give  any  do  such  that, 

a0  |p  =  0,  Ko  2  np 

By  Lemma  D.26,,  there  exists  a'0,  ~^a'0,  Tq  such  that 

G(a0  a  (0,  0,  Oq,  -iOq,  Tq,  0),  a'0,  ^Oq,  Tq,  i,p,  to)  holds 

and  given  d"  such  that  d"  |o=  0,  d"  a  do  a  (0,  0,  a'0,  -^a'0,  r'Q,  0)  is  well-defined 
implies  V(d"  a  d0  a  (0,  0,  a'0,  ^a'0,  Tq,  0),  0,  4>) 


(1) 

(2) 

(3) 
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(1) 


Case:  j  =  k 

By  I.H.  on  (k-1), 

GF'(k-l,$,{p}) 

To  show  GF'(k,  $,  {p}),  we  unfold  GF'(k  —  1,  <b,  {p}), 

and  the  first  k  —  1  layers  of  alternating  V  and  3  quantification  in  GF'(k ,  {p}), 

will  be  discharged  by  GF'(k  —  1,  <f>,  {p}), 
now  we  are  obtained,  VO  <  n  <  fc, 

(dn  |„_i=  0)(ct„  |n=  dn),  start(rn )  =  r0( 0),  (dn  \f=  0),  re„  2 
Vm  £  dom (apn),m  >  n,\/m  £  dom (-^apn),m  >  n 
Vm  £  dom(rpn),  m  >  n  A  start(rpn )  =  t0(0) 

VP  £  rang e(apn),p  is  the  performer  of  P 

VP  £  rang e(~^apn),p  is  the  performer  of  P 

VP  £  range(apra),3  G  {dx.ppast  D  (p))  £  <f>/+,3<5  such  that 

l+C=0  dm  ttJ  l+C=O(0’  a'm>  <0  0).  ™  ^ 

and  l±C=0  W  Wm=o(0’  «m>  n«'m.  0),  n  ll"  SPf 

3 P7  £  >t/(^(p)),  and  35°,  and  P  =  <5°P7 

VP  £  range(-iapn(f))3P'  £  Af(pJ(p))  U  Vlc(pj(p))3<50,  and  d°P  =  <5°P7 

Vm  £  dom(^apTl)  and  m  >  n,VP  £  apn(TO)3P7  £  Vl/(pJ(p)),  3<5°,  and  5°P  =  S°P' 

given  any  d'  such  that  a'  |„=  0,  V<p  £  <F, 

d’  W  do  W  (0, 0,  <ipo,  _|apo,  rp0,  0)  «  •  •  •  tt)  dn  W  (0,  0,  apn,  ->apn,  rpn,  0),  n  lb  p 
Give  any  dk,  such  that 

(dk  \k-i=  0)(t?fc  \k=  dk),  (dk  |p  =  0),  start(rk)  =  r0( 0),  2  FP 

Let  d  =  d0  l±)  (0,  0,  ag,  -^tig,  t'0,  0)  l±)  •  •  •  l±)  dk, 

By  Lemma  D.12,  Lemma  D.15,  Lennna  D.17,  Lemma  D.2,  (7)  , 

VP  £  range(ap„),3  G  (\/x.ppast  D  <pjr (p))  £  <3? /_)_ ,  3<5  such  that 
d,n  t=  Sippast,  and  cf,  n  lb  <5<p^ 

3P7  £  „4/(d<p+(p)),  and  3<5°,  and  P  =  <5°P7 
By  Lemma  D.26,  for  all  exists  a'k ,  -ia7fc,  r(.  such  that 

G(ct(0,  0,  a7fc,  -.a7fe,  T'k,®),a!k,^a'k,  r'k ,  i,p,  ro(0))  holds 

and  given  a"  such  that  ct"  4=  0,  d"  W  cr  W  (0, 0,  a'k,^a'k,  r'k,  0)  is  well-defined 
implies  V(d"  tfcl  d  W  (0,  0,a7fc,  ->a'k,Tk,9),  k,  $) 


(2) 

(3) 

(4) 

(5) 

(6) 


(7) 

(8) 
(9) 

(10) 

(11) 


(12) 

(13) 

(14) 
□ 


Theorem  D.28  (Feasibility  compositions  for  one  agent).  Let  $  be  a  set  of  responsibilities,  and  $  = 
where  V  G  <p  £  $c,  <p  is  of  the  form  \/x.p~(p)  D  pPast,  V  G  p  £  4>/+,  ip  is  of  the  form 
dx.ippast  7)  <Pf  (p),  and  V  G  p  £  $/_,  ip  is  of  the  form  Vx.ppast  7)  pj  (p). 

$  is  feasible  for  agent  p  if 

1.  for  all  G  (Vx.ippast  D  pj (p))  £  <F/_,  •  b  pj  sat 

2.  for  all  G  ( \/x.ppast  7)  pf  (p))  £  $/+,  b  <ppast  fin,  b  and  Af(p~^(p))  b  (ppast 

5.  /or  any  two  responsibilities  G  (VaTi.<ppasti  D  p^ip))  £  $/+,  G  (\/x2.ppast2  7)  <p^2(p))  £  $/+, 
•Af(Pfj(p))  Ppasti  (l  =  1)  2,  J  =  1,  2,  i  j ) 

4-  for  any  two  responsibilities  G  (Vx!.<ppasti  D  ^^(p))  £  $f+,  G  (dx^-Ppastz  7)  <p/2(p))  £  $/_,  /or  all  6, 

$Af(<p'f1(p))  n  SAf(rf2(p))  =  0 

5.  for  any  two  responsibilities  G  (\/x[.ppasti  7)  <p^(p))  £  $/+,  G  (yF2.p~2(p)  D  ppast2)  £  4>c, 

(a)  either  for  all  5,  6Af(p~ji1(p))  D  <5VLc(y>/2(p))  =  0 
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(b)  or  tppaati  =  <pp,  and  for  all  P  £  Ac{pc2(p)),  for  each  mgu  S  such  that  SP  £  S(Af(p^1(p))) , 
Spp  Sppast2 

Proof.  By  Lemma  D.27.  □ 

Lemma  D.29.  For  all  a,  i  and  a'  such  that  crtt)?'  is  well-defined  a'  |,_i=  0,  and\/P  £  range(a')Grange(~^a') , 

P  is  not  a  performer,  ifa,i  lb  pi  where  pt  is  \/x.p~(p)  7)  ppast  or\/x.ppast  7)  <P/(p)>  or\/x.ppast  7)  pj(p), 
and  p  b  ippast  StrictPast  then  a\3a',i  lb  ipi 

Proof  (sketch):  By  Lemma  D.12,  Lemma  D.15,  Lemma  D.17,  Lemma  D.5,  D 

Lemma  D.30  (Strong  feasibility  composition  for  multiple  agents).  Given  a  group  of  agents  Sa,  let  <Lp  be 
the  set  of  responsibilities  for  each  agent  p  £  Sa.  <1>P  =  <£’£,  <^>/+;  ^/-  where  VGi/i£  p  is  of  the  form 
S/x.pf{p)  7)  pPast,  V  G  p  £  <p  *s  °f  the  form  \/x.ppast  7)  p~f(p),  and  V  G  p  £  $f_,  p  is  of  the  form 
\/x.ppast  7)  pf(p). 

Let  G(a,  a,  ~^a,  r,  i,  Sa)  =  \/k  £  dorn(a),  k  >  i  A  Vfc  £  dorn(^a),  k  >  i  A  Vfc  £  dom(r),  k  >  i  A  start{r)  =  to  A 

VP  £  range(a),  3p  £  Sa,  such  that  p  is  the  performer  of  P  A 
VP  £  range(~^a),  3p  £  5a,  such  that  p  is  the  performer  of  P  A 
Vfc  £  dom(a),VP  £  a(k),  3 p  £  5a, 

3  G  pi  £  $/+,  3(5  such  that  a,i\=  6ppast,  and 
a,i\\- Sp^  3P'  £  Af(5p~f(p)),  and  36°,  andP  =  5°Pl 
VP  £  (-ia(fc)),  3p  £  Sa,  3 P'  £  ,4/(^7  (p))  U  Ac{ipf{pj),  3<5°,  and  6°P  =  5°P' 

Vk  £  dom(-ia),  k  >  t,  VP  £  a(fc),  3p  £  5a,  3P'  £  Af(pj(p)),  35°,  and  S°P  =  S°P'. 
Let  V (a,  i,  $)  =  V  G  ^  £  $,  Tr(fa),  i  lb  p. 

For  allj,  GF'{j,  <f>p,  Sa),  if  for  each  G  pi  £  $,  the  past  formula  in  Pi  is  ppast,  andp  b  ppast  StrictPast, 
and 

1.  for  all  G  ( Vx.ppast  D  pj  (p))  £  $/_,  b  pf  sat 

2.  for  all  G  ( Wx.ppast  7)  P~f(p))  6  $/+,  f~  ‘Ppast  fin,  ^  Pf  and  ^/(V3/  (p))  f"  Ppast 

3.  for  any  two  responsibilities  G  {\/x[.ppasti  D  P^{p))  £  $/+,  G  ^x2.ppast2  7)  p~f2{p))  £  $/+, 
Af{Pfj(p))  f-  Ppasti  (i  =  1,  2,  J  =  1)  2,  i  ^  j ) 

4-  for  any  two  responsibilities  G  (Vxl.<ppasti  7)  '^(p))  £  $/+,  G  (Wx^-Ppast^  7)  pj2(p))  £  $/_,  for  all  S, 
SAfip^ip))  (3  ^/(^(p))  =  0 

5.  /or  any  two  responsibilities  G  (Wxi.ppasti  7)  p^(p))  £  $/+,  G  (\/x2.p~2(p)  7)  Ppast.2)  £  d>c, 

/a/  either  for  all  S,  SAf(p~ji1(p))  (3  <L4c(<p/2(p))  =  0 

(b)  or  Ppasti  =  <PP;  and  for  a/Z  P  £  -4c(<p/2(p)),  /or  eac/i  mpn  (5  such  that  SP  £  ^(^/(^^(p))), 

(5pp  b  Sppast2 

Proof.  By  induction  on  j.  Similar  to  the  proof  of  Lemma  D.27.  We  use  Lemma  D.26  to  obtain  planned 
trace  for  each  agent,  then  we  use  Lemma  D.29  to  compose  traces  from  different  agents. 

□ 

Theorem  D.31  (Feasibility  composition  for  multiple  agents).  Given  a  group  of  agents  Sa,  let  $p  be  the 
set  of  responsibilities  for  each  agent  p  £  Sa.  <bj+,  <f>^_  where  V  G  p  £  $(?,  p  is  of  the  form 

\/x.pf(p)  7)  pPast >  V  G  p  £  d>y+,  p  is  of  the  form  Mx.ppast  7)  p~j(p),  and  V  G  p  £  p  is  of  the  form 

Vx -Ppast  7)  pj{p)- 

The  union  of  <bp  for  all  p  £  Sa  is  feasible  for  Sa.  if  for  each  G  pi  £  <f>,  the  past  formula  in  pi  is  ppast, 
and  p  b  pPast  StrictPast,  and 
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1.  for  all  G  (Vx.tppast  D  <pj(p))  £  $/-,  f"  ¥>]  sat 

2.  for  all  G  ( \/x.ippast  D  <pf(p))  £  $/+,  h  ippast  fin,  1 ~  ¥>/  and  Af(pj  (p))  ^  Ppast 

3.  for  any  two  responsibilities  G  (Vxi.<ppaati  3  V’/iCp))  £  $/+,  G  (Va^.<ppast2  D  P^ip))  £  $*/+, 

I-  ^Ppasti  (i  =  1,  2,  j  =  1, 2,  i  ^  j) 

4-  for  any  two  responsibilities  G  (Vxi.<ppasti  3  ^^(p))  £  $/+,  G  ( Vx2-<PPast2  D  tpj2(p))  £  $/-,  /or  all  6, 

SAfiv^ip))  n  M/(^2(p))  =  0 

5.  for  any  two  responsibilities  G  (Vxi.<pposti  D  <p^(p))  £  $/+,  G  (Va^.p“2(p)  D  ippast2)  £  $c> 

/a/  either  for  all  S,  6Af((pf1(p))  D  (L4c(<p“2(p))  =  0 

(b)  or  <pPasti  =  ^Pp y  and  for  all  P  £  ^4c(<p/2(p)),  /or  eoc/i  mgu  <5  such  that  SP  £  S(Af  (<P/1(p))), 
£  S(ppast 2 

Proof.  By  Lemma  D.30.  □ 
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